How to Share Client Login Credentials Securely as a Freelancer or Agency

Every freelancer and agency faces the same handoff challenge: you have built the website, set up the hosting, configured the email accounts, and managed the social media profiles. Now the project is done, and the client needs all the login credentials.

The question is how you deliver them. Are you pasting passwords into a Messenger chat? Typing them in a plain-text email? Putting them all in a shared Google Doc? Each of these methods creates a serious security risk.

This guide covers why common methods are dangerous and provides practical alternatives that protect both you and your client.

Common Methods That Put Credentials at Risk

1. Chat Apps (iMessage, Messenger, Slack DM)

The most natural instinct is to send credentials through whatever chat app you use to communicate with the client.

Risks:

• Messages are stored permanently in chat history
• A lost or stolen device exposes every credential shared
• Messages can be accidentally sent to the wrong chat or group
• Chat backups may include plaintext passwords

2. Email

Email is the default business communication tool, but it is poorly suited for sharing passwords.

Risks:

• Email is not encrypted by default (standard SMTP sends in plaintext)
• Messages sit in the inbox indefinitely
• A compromised email account exposes every password ever shared
• Searching "password" in an inbox reveals credentials instantly

3. Shared Documents (Google Sheets, Notion)

Some teams maintain a shared spreadsheet or document with all credentials listed.

Risks:

• A leaked share link exposes everything
• Permission management tends to become lax over time
• Document version history preserves old passwords
• A compromised Google/Notion account grants access to all credentials

Principles for Secure Credential Sharing

1. Split Delivery

Never send a username and password through the same channel.

• Username: Send via email or project management tool
• Password: Send via a separate channel (phone call, password-protected memo, etc.)

2. Temporary Access

Do not share credentials permanently. Use methods that expire.

• Set expiration times on shared links
• Instruct the client to change the password immediately after accessing it

3. Least Privilege

Grant the minimum level of access necessary.

• WordPress: Start with Editor role instead of Administrator
• Hosting: Create a separate user account instead of sharing root credentials
• Social media: Use platform invitation features instead of sharing passwords

Secure Methods by Scenario

WordPress Admin Account Handoff

Method	Security Level	Details
Create separate admin account	Best	Create a client-specific account and send an invitation email
Temporary password + secure memo	Good	Set a temporary password, share via LOCK.PUB with 24-hour expiry
Paste password in Messenger	Risky	Stored permanently in chat history

Recommended workflow:

1. Create a new WordPress admin account for the client
2. Set a temporary password
3. Share the temporary password via a LOCK.PUB password-protected memo (24-hour expiry)
4. Send the memo link via email, share the memo password via phone or separate message
5. Instruct the client to change the password on first login
6. Deactivate or delete your own admin account

Hosting Panel Credentials

Information	Delivery Method
Hosting URL	Email or documentation
Username	Email
Password	LOCK.PUB secret memo (with expiration)
SSH keys	Encrypted file transfer

Social Media Accounts

Most social media platforms offer role-based access that avoids password sharing entirely.

• Instagram: Business account > Settings > Roles > Add partner
• Facebook: Page Settings > Page Roles > Add administrator
• YouTube: Brand Account settings > Add manager
• LinkedIn: Company Page > Admin tools > Add admin

If direct password sharing is unavoidable, use a time-limited secure memo.

Email Account Configuration

Information	Delivery Method
SMTP/IMAP server addresses	Email or documentation
Port numbers	Email or documentation
Email address	Email
App password	LOCK.PUB secret memo (3-hour expiry)

Using LOCK.PUB for Credential Handoff

LOCK.PUB is particularly well-suited for the freelancer/agency credential handoff scenario.

How It Works

1. Create a password-protected memo on LOCK.PUB
2. Enter the login credentials
3. Set an access password and expiration time (e.g., 24 hours)
4. Send the memo link to the client via email
5. Share the access password via phone or a separate channel

Why It Works for Credential Sharing

• Auto-expiration -- Credentials are not sitting in a chat log forever
• Password gate -- The link alone is not enough to access the content
• Access tracking -- You can verify whether the client has viewed the credentials
• No account required -- The client does not need to create an account to access the memo

Client Handoff Checklist

Use this checklist when completing a project to ensure all credentials are transferred systematically.

• CMS / website admin account
• Hosting panel credentials
• Domain registrar account
• FTP / SSH access credentials
• Email account configuration
• Social media account access (role transfer)
• Third-party API keys (payment, analytics, etc.)
• SSL certificate details
• DNS configuration documentation
• CDN or caching service credentials

Conclusion

Sending passwords through Messenger or email is convenient, but it creates lasting security vulnerabilities for both you and your client. By using split delivery, temporary access methods, and the least privilege principle, you significantly reduce the risk of credential exposure.

Create a password-protected memo on LOCK.PUB for your next client handoff -- set an expiration, share the link, and verify that your client accessed the information.

Create a Secret Memo →