DEV Community

kimdontdoit
kimdontdoit

Posted on

How do you safely share passwords?

Hi dev.to!

Having worked in agencies and having to exchange passwords and API keys quite regularly, there doesn't seem to be a single agreed-upon way to send passwords.

Baloney Password

How do you do it or what do you use? I expect everyone already sent a password by email or Slack in the past 😅

Top comments (15)

Collapse
 
dhwanitshah profile image
Dhwanit Shah

I've used 1Password in my teams before. It could end up getting expensive depending on the size of your team, but it's a great way to share sensitive information like credentials and financial information within the team, while also ensuring the individual members of the team are following best practices with their own credentials as well.

And as an added bonus, it's made in Canada (the Canadian member of my team that got us to use it added this in the "pro" column when making the case for it)

Collapse
 
kimdontdoit profile image
kimdontdoit

Thanks for your answer Shah 💯
Couldn't live without my personal/work password managers. Although I wonder how would you share a password outside of the team?

I made the switch from Lastpass to Bitwarden about a year ago and would definitely recommend it for budget reasons, but I can't say anything about how it compares to 1Password (although I'm from Canada too)

Collapse
 
dhwanitshah profile image
Dhwanit Shah

You can create shared vaults with 1password, which is a great someone for teams. At my last role, we used this to maintain access to our company social.media accounts, for example, with the IT team rotating the passwords often and the marketing teams just getting the update from the shared vault when needed. It also made 2 step authentication a breeze since we weren't having to chase down whose phone got the code. In the newer version now you can also share individual entries with people, restricting them so they are only available for x days, or can it be opened x times.

Collapse
 
hijoe profile image
HiJoe

I look at it like this…a couple bucks a month per user is probably cheaper than dealing with a server breach, or unwanted access.

Collapse
 
kimdontdoit profile image
kimdontdoit • Edited

Oh definitely, with so many free options available too people have no excuse to use 123 weak passwords lol

Collapse
 
clay profile image
Clay Ferguson

I'd say using Public Key Encryption tools where only the person you intend to be able to decrypt the data can decrypt it. It's just based on asymmetric encryption where you encrypt the data with the recipient's public key. Then you don't even need a secure way to send them the data, which is of course the beauty of PKE.

Collapse
 
kimdontdoit profile image
kimdontdoit • Edited

Thanks for the share Ferguson 🔒

For the added security and between devs, I would definitely look into this. But tbh, I even had to work with a client's dev who complained about using SSH keys... (extreme scenario lol) Depending of the person/client I'm in contact with, just asking for a Google API key can be a hassle so I wouldn't risk adding any level of complexity 😅

Collapse
 
clay profile image
Clay Ferguson

Google has a way to encrypt emails, so that might be a [less secure] way that can work for less technical people, or you could just send them the actual script commands to use for managing an SSH key, and decrypting a file with it, if they're not sure how.

Collapse
 
hijoe profile image
HiJoe

That’s a real good point.

Collapse
 
kimdontdoit profile image
kimdontdoit • Edited

The reason I'm asking is also because I got recommended to try Gmail's confidential mode.

On my side, I'm used to sending a generated link containing a note that expires from onetimesecret.com which is convenient/fast and still better than clear-text passwords in an email, but I'm surprised (and it makes me wary) that it isn't as popular as I thought it was. I also had occurrences where the recipient could not open it.

Curious about what else is out there 🤔

Collapse
 
kimdontdoit profile image
kimdontdoit

Well, this post definitely taught me something (didn't know about Bitwarden Send 💀)

And yes emails/slack worst thing ever haha but you'd be surprised how often it happens in my use cases ¯_(ツ)_/¯ Database passwords, API keys, admin/account/tool passwords, etc. I collaborated with a marketing agency and they sent screenshots of passwords 🙃 I think even our phones already recognize text in photos by default lol

Collapse
 
hijoe profile image
HiJoe

I use Bitwarden secure send, internally no reason to share if using Bitwarden for business or enterprise, everyone gets their own account. It has user access controls , groups etc. If you want to, you can use your yubikey type device for access as well. I’ve never used 1passwords premium, but 1password and Bitwarden pretty much have the same features.

Collapse
 
kimdontdoit profile image
kimdontdoit

Omg, you're the best! I use Bitwarden every day and never paid attention to the Send button (For some reason, I thought it was sharing with other Bitwarden users/team plans only)

Bitwarden

Collapse
 
raguay profile image
Richard Guay

I use KeyBase for sending password, API keys, etc. It works great and easy to use.

Collapse
 
topninja profile image
topninja

1password chrome extension is good I think for team project.
for individual, it would be great to send via email (gmail is best???) .