SmoothHandoff/Guides

How to Hand Over Website Credentials Without Using Email

Every web agency does this. A project wraps up, and someone sends an email that reads: "Hi — here are your login details: username: admin, password: Welcome123!" It feels fine in the moment. It is not fine. Here's why, and what to do instead.

What credentials are typically handed over

A typical website project involves more logins than most agencies realise. By the time you add them all up, a single client handoff might include 8–12 separate sets of credentials:

  • Web hosting login (cPanel, WP Engine, Kinsta, SiteGround)
  • Domain registrar account (Namecheap, GoDaddy, Porkbun)
  • CMS admin credentials (WordPress, Shopify, Webflow, Squarespace)
  • Google Workspace or Microsoft 365 admin account
  • DNS management (Cloudflare, your registrar)
  • Email marketing platform (Mailchimp, Klaviyo, ActiveCampaign)
  • Analytics (Google Analytics, Google Search Console)
  • Payment gateways (Stripe, PayPal Business)
  • Social media page admin access
  • CDN or performance tool credentials
  • API keys for third-party integrations
  • SSL certificate if manually managed

Each of these gives access to something valuable. Hosting access can take a site down. Domain registrar access can redirect traffic anywhere. Treat all of them as sensitive.

Methods you should stop using

Plain-text email

Email is not encrypted in transit on all servers. It sits in both inboxes indefinitely. If either party's email account is compromised, every credential you've ever sent is exposed.

WhatsApp or SMS

WhatsApp messages are backed up to Google Drive or iCloud — often in plain text. SMS is not encrypted at all. Neither is designed for credential storage.

Shared Google Doc or Notion page

These live at a permanent link that can be accidentally set to "anyone with the link." They're not designed to store secrets and have no access controls per field.

Pasting into a project management tool (Asana, Monday, Trello)

Project management tools have wide team access by default and often no field-level encryption. Comments and task descriptions are not built for sensitive data.

PDF document attached to an email

PDFs aren't encrypted unless you specifically set a password. Most don't. The file then lives in email, downloads folders, and potentially cloud backups on both sides.

Secure ways to hand over credentials

Dedicated password manager with secure sharing

1Password and Bitwarden both have Business/Teams plans with vault sharing. You create an item, share it with the client's email, and they access it via their own account. The downside: the client needs their own account on the same platform.

Good for tech-savvy clients or ongoing relationships.

One-time secret link (e.g. One-Time Secret, privnote)

These services let you paste a password, generate a one-time link, and the message self-destructs after being read once. It's encrypted in transit and never lives in email. The downside: there's no record, no audit trail, and the client must act immediately.

Good for single credentials, not a full project handoff.

Encrypted handoff portal

A dedicated client portal with an encrypted credential vault handles everything in one place. The agency stores each credential (username, password, URL, notes) per project. Credentials are encrypted at rest. Clients reveal passwords with a single click — no copy-pasting credentials into emails at all.

Best for full project handoffs involving multiple credentials.

What "encrypted at rest" actually means

When a credential vault advertises "encrypted at rest," it means the passwords stored in the database are not readable even if someone accesses the database directly. The encryption key is separate from the data.

Compare this to storing passwords in a spreadsheet or Google Doc, where the data is readable by anyone with database or file access — including cloud storage providers, their employees, or anyone who compromises the account.

AES-256 is the standard. It's the same encryption used by banks and government systems. Any tool you use for credential storage should use at minimum AES-128, and ideally AES-256.

Stop emailing passwords

SmoothHandoff's credential vault stores every login with AES-256 encryption. Clients reveal passwords with a single click inside their branded portal — no email required.

Start free