← Back to Blog
At some point, every team needs to share a password. A shared company account, a staging server, a social media login, a client's FTP credentials. The question is not whether you will share passwords — it is how you will share them.
Most teams default to whatever is fastest: a Slack message, an email, a text, a sticky note on a monitor. Every one of these methods is a security incident waiting to happen. This article explains why those approaches are dangerous and how UnveilPass lets you share credentials with end-to-end encryption so the server never sees your data.
Why Sharing Passwords Over Email and Chat Is Dangerous
When you paste a password into an email or a Slack message, you are creating a permanent copy of that credential in a system you do not control. Here is what can go wrong:
- Email is stored forever. Most email providers keep messages indefinitely. That password you sent to a colleague in 2023 is still sitting in their inbox — and in yours. If either account is compromised, the attacker has the password in plain text.
- Chat logs are searchable. Slack, Teams and Discord all index message history. Anyone with access to the workspace can search for "password" and find every credential ever shared. Former employees may retain access to exported chat archives.
- Screenshots and clipboard. Even if you delete the message, the recipient may have taken a screenshot, copied it to a notes app or saved it in a text file. You have no control over what happens after you hit send.
- Shared channels and forwarding. An email gets forwarded. A Slack message gets posted in the wrong channel. A text message is visible on a notification screen. These are not hypothetical scenarios — they happen every day.
- No revocation. Once a password is sent via email or chat, you cannot take it back. Even if you change the password, the old message still exists as evidence of your sharing pattern and potentially of related credentials.
Real-world example: In 2024, a major tech company disclosed a breach that started when an engineer shared database credentials in a Slack channel. An attacker who gained access to a single employee's Slack account was able to search message history and find production database passwords shared months earlier.
How UnveilPass Sharing Works
UnveilPass uses X25519 Elliptic Curve Diffie-Hellman (ECDH) to share passwords without the server ever seeing the plaintext. Here is how it works under the hood:
- Each user has a key pair. When you create your UnveilPass account, a X25519 key pair is generated in your browser. The private key is encrypted with your vault key and stored on the server. The public key is stored in the clear so other users can find it.
- Shared key derivation. When you share a credential with someone, your browser computes a shared secret using ECDH: your private key combined with the recipient's public key. This shared secret is then fed through HKDF-SHA256 to produce an AES-256 encryption key.
- Encrypt and send. Your browser encrypts the credential data (username, password, notes and all fields) with the derived AES key using AES-256-GCM. Only the ciphertext is sent to the server.
- Recipient decrypts. The recipient's browser performs the same ECDH computation (their private key + your public key) to derive the same shared secret and decrypt the data locally.
Zero-knowledge guarantee: The server stores only ciphertext. It never has access to the shared secret, the derived AES key or the plaintext credentials. Even if the server were compromised, the attacker would get nothing useful.
Sync Modes: One-Way and Two-Way
When you share a credential, you choose a sync mode that determines how updates flow between the owner and the recipient:
| Mode |
Who Can Update |
Best For |
| One-Way |
Owner only |
Distributing credentials you control — the recipient always gets the latest version but cannot modify it |
| Two-Way |
Both owner and recipient |
Shared accounts where either party might change the password — both sides stay in sync automatically |
With one-way sync, if you rotate a password, every recipient gets the update automatically the next time their vault syncs (within 30 minutes or on the next login). With two-way sync, if a recipient changes the password on their end, the update flows back to you as well.
TTL Expiration: Shares That Self-Destruct
Not every shared credential should last forever. UnveilPass lets you set a Time-To-Live (TTL) on each share. When the TTL expires, the share is automatically revoked and the recipient loses access.
Available TTL options range from 5 minutes to 30 days — or unlimited for credentials that should remain shared permanently. Here are some practical scenarios:
- 5 minutes: You need to give a colleague a one-time login for a quick task. Share it, they log in, the share expires before they even finish their coffee.
- 24 hours: A contractor needs access to a staging environment for the day. Share the credentials in the morning; they are automatically revoked by tomorrow.
- 7 days: An external auditor needs access to a system for a week-long review. No need to remember to revoke access — it happens automatically.
- Unlimited: Your co-founder needs permanent access to shared company accounts. The share persists until you explicitly revoke it.
Lock toggle: When you enable the Lock option on a share, the recipient cannot dismiss or remove it from their vault. This is useful for mandatory credentials that team members must keep — such as a required VPN login or a company-wide admin tool.
Team Vaults: Structured Sharing at Scale
Sharing individual credentials works well for small groups. But when your organization grows to 10, 50 or 200 people, you need something more structured. That is where Teams come in.
A Team in UnveilPass is a shared vault with its own encryption key. Here is how the cryptography works:
- When you create a team, a random AES-256 Team Key is generated in your browser.
- For each team member, the Team Key is encrypted using ECDH (your private key + the member's public key) and stored on the server.
- When a member opens the team vault, their browser decrypts the Team Key using the reverse ECDH computation, then uses it to decrypt team entries.
- The server never sees the Team Key in plaintext. Adding or removing members does not require re-encrypting existing entries.
Per-Entry Permissions
Not everyone on a team needs the same level of access. UnveilPass supports two permission levels per shared entry:
- Read: The member can view the credential but cannot modify it. Ideal for junior team members or external collaborators who need access but should not change passwords.
- Read/Write: The member can view and modify the credential. Changes are encrypted and synced to all other team members with access. Use this for shared accounts where multiple people may need to rotate the password.
Team roles add another layer of control. Owners have full administrative access. Admins can manage members and entries. Regular members can only access the entries shared with them at the permission level assigned.
Managing Contacts
Before you can share a credential with someone, they need to be in your contacts. The Contacts page in UnveilPass lets you invite other users by email. Here is the flow:
- You enter the recipient's email address and send an invitation.
- They receive an email with an invitation link.
- Once they accept, their public key becomes available to you for ECDH key exchange.
- You can now share any vault entry or secure note with them — the encryption happens automatically.
If a contact does not have an UnveilPass account yet, the invitation email prompts them to create one. Once they register and accept the invitation, sharing becomes available immediately.
Note sharing too: You can share secure notes with contacts and teams, not just vault entries. Shared notes include attachments — files are decrypted from your vault key and re-encrypted with the ECDH shared key so the recipient can download them.
Practical Examples
Here are real-world scenarios where secure sharing replaces insecure habits:
Shared company accounts. Your team uses a single login for a SaaS tool that does not support per-user accounts. Instead of pinning the password in a Slack channel, share it via UnveilPass with two-way sync. When someone rotates the password, everyone gets the update automatically.
Client credentials. An agency manages social media accounts for multiple clients. Each client's credentials are shared with the team members assigned to that account — with read-only access for junior staff and read/write for senior managers. When the client engagement ends, revoke the shares with one click.
WiFi passwords. The office WiFi password changes monthly. Share it with all team members using one-way sync. Update it once in your vault and every team member sees the new password on their next sync — no more printing new signs for the break room.
Contractor access. A freelance developer needs access to a staging database for two weeks. Share the credentials with a 14-day TTL. When the project wraps up, the share expires automatically. No need to remember to revoke access or change the password.
Emergency handoff. You are going on vacation and a colleague needs access to a critical system just in case. Share it with a 7-day TTL and the lock toggle enabled so they cannot dismiss it. When you return, the share has already expired.
What Not to Do
Even with a secure sharing system in place, some habits are worth breaking explicitly:
- Do not share your master password. Your master password is the root key to your entire vault. Never share it with anyone — not even your IT department. Use Emergency Access if you need someone to have access in an emergency.
- Do not screenshot shared credentials. If you take a screenshot of a shared password, you are creating an unencrypted copy that bypasses all the security UnveilPass provides.
- Do not copy shared passwords into other tools. Pasting a shared credential into a spreadsheet, a Notion page or a text file defeats the purpose of end-to-end encryption. Access it through UnveilPass every time.
- Do not leave shares active longer than needed. Use TTLs aggressively. If someone only needs access for a day, set a 24-hour TTL. The principle of least privilege applies to duration as well as permissions.
Remember: The most common cause of credential leaks is not sophisticated hacking — it is human error. A password shared in the wrong Slack channel, an email forwarded to the wrong person, a sticky note left on a desk. End-to-end encrypted sharing eliminates these risks entirely.
Getting Started
If you are still sharing passwords over email or chat, switching to UnveilPass takes about five minutes:
- Create your vault at unveilpass.com.
- Add the credentials you need to share.
- Invite your team members via the Contacts page.
- Share individual entries or create a Team for structured group access.
- Set sync modes, TTLs and permissions to match your workflow.
Every step happens with zero-knowledge encryption. The server never sees your passwords, your team's passwords or the shared keys used to encrypt them. That is the fundamental difference between sharing a password in a chat message and sharing it through UnveilPass.
Share Passwords Without Exposing Them
End-to-end encrypted sharing with sync modes, TTL expiration and per-entry permissions. The server never sees your data.
Create Your Vault
