Skip to content
LitePassword
Sign in Get started — free
← All posts
May 18, 2026 teamssecurityhow-to

The best way to share passwords with your team (and what to never do)

Step-by-step guide to sharing passwords across a team without Slack messages, shared docs, or "ask me on Zoom" exchanges.

If your team is still pasting passwords into Slack, you’re not alone — and you’re also not safe. Slack stores those messages. Even after you “delete” them, copies exist in workspace exports, backups, and integrations.

Here’s the right way to do it.

The three patterns to avoid

  • Slack DMs and channels — indexed, searchable, exported. A breach of any member’s account leaks every credential they were ever sent.
  • Shared docs (Google Docs, Notion) — version history keeps the password forever, even after you “remove” it.
  • Verbal exchange on a call — fine for a one-off, terrible for revocation. You can’t take it back, and you have no audit trail.

The pattern that works

Use a zero-knowledge shared vault. A “vault” is a container with its own encryption key. When you share it, the vault key is wrapped (re-encrypted) with each member’s master-password-derived key — so each person decrypts the vault locally on their device. The server only ever stores ciphertext.

Critically, when you remove a member, the vault keys rotate. Their cached ciphertext becomes undecryptable.

Step-by-step with LitePassword

  1. Create a shared vault — Vaults page → New vault. Name it after the scope: “Production credentials”, “Marketing tools”, “Client X”.
  2. Add secrets — pick the type (login, password, credit card, secure note, or custom) and fill the default fields. Use the built-in generator for new credentials.
  3. Invite teammates — Users page → Invite user. Email + role (Manager or View only).
  4. Grant vault access — open Manage Vault Access from the user row and toggle the vaults this person should reach.
  5. They unlock on their device — on first unlock their client unwraps the vault key with the one-time invitation key, then re-wraps it with their own master-derived key. Plaintext never leaves their device.

What if someone leaves the team?

Open the Users page, hit Revoke Access on their row. Vault keys for every vault they had access to rotate automatically. Their cached copies stay on their old device but can no longer decrypt anything.

If you wait three weeks to revoke, that’s three weeks of potential exposure. Do it the same day they leave.

What about contractors and clients?

Use View only role plus per-vault access. The contractor sees the one vault they need and nothing else. When the project ends, you revoke and the keys rotate. The contractor can’t read anything from the moment you click revoke.

TL;DR

Stop sending passwords through any channel that keeps a copy you don’t control. Move them into a zero-knowledge shared vault. Pay attention to revocation — that’s where most teams fail.

Create a free account and try the flow above with one or two teammates. If you can run through the five steps in under ten minutes, you have your answer.

Stop sharing passwords in Slack messages.

Create your account in under a minute. Pick a master password. We'll generate your recovery key for you.

Try LitePassword — free → See how vaults work