- #security
- #passwords
- #credentials
- #small-business
How I handle client credentials without losing sleep
Client passwords should not live in a text thread. Here is my four-rule system: one vault, no secrets over email or SMS, least access, and a real offboarding step when the project ends.

Somewhere in your text messages there is probably a password. Maybe the website login you sent a designer three years ago, maybe an account you shared with a vendor who no longer works with you. That is the normal state of small business credentials, and it is the thing most likely to burn you.
I run a one-person web shop out of the Heber City and Park City area. Clients hand me real keys: hosting logins, domain registrars, Google Business profiles, sometimes the email account that everything resets through. If I lose my own password, that is my problem. If I lose a client's, that is a nail salon or a landscaping company that suddenly cannot get into its own website. So I follow four rules, and I do not bend them.
Rule one: secrets never travel by email or text
Email and SMS are postcards. They get forwarded, they sync to old tablets, they sit in an inbox forever. Search the word "password" in your own email right now. If anything comes up, every one of those accounts is only as safe as that inbox.
What I do instead:
- If I need to send a secret, I use a one-time link that self-destructs after a single view. Bitwarden Send does this on the free tier.
- If a client is not comfortable with links, I take the password over a live phone call, log in, and change it the same day. The spoken version stops mattering within hours.
- I never ask anyone to text me a password. If they do it anyway, that password gets rotated the same day.
Rule two: one vault, and nothing outside it
Every credential I hold lives in a password manager. I use Bitwarden, each client in its own folder, with a note on every entry: what the account is, why I have access, and the date I got it. Any account I create myself gets a random generated password, 20 characters or longer, that I never see or memorize.
Not in a Google Doc. Not in a notes app. Not in the browser's save prompt on a laptop that also does everything else.
The honest tradeoff: a vault is a single point of failure. If my master passphrase leaks, everything behind it is exposed at once. I accept that risk because the alternative, secrets scattered across texts and spreadsheets, is strictly worse. I protect the vault with a long passphrase and two-factor from an authenticator app, not SMS. I even built a local-first credential vault into my own free app, mostly because I wanted to understand exactly where secrets sit on a device before asking anyone to trust me with theirs.
Rule three: ask for a seat, not the master key
Most of the time I do not need the owner's password at all, and neither does anyone else helping you. Almost every platform a small business touches can grant a second, limited login:
- GoDaddy and Namecheap offer delegate access for domains.
- Google Business Profile has a manager role that cannot delete the listing.
- Squarespace, Wix, and Shopify all support contributor or staff accounts.
- Meta Business has partner access for Facebook and Instagram pages.
A separate seat means the client can revoke me in one click, and there is a record of what I did versus what they did. For my first client, a nail salon here in Heber City, I needed zero credentials from her because I built and hosted the site on my own infrastructure. The easiest secret to manage is the one you never have to hold.
Rule four: offboarding is part of the project
When the work ends, the access ends. My checklist:
- Send the client a plain list of every account I could touch.
- Remove my seat, or have them remove it while I am on the phone.
- Flag any password that ever traveled insecurely before I showed up, so they can rotate it.
- Delete the client's folder from my vault once they confirm everything works.
If a client keeps me on a monthly care plan, I keep the minimum access the plan needs and nothing extra. I am studying for Security+ right now, not certified yet, and the textbook name for all of this is least privilege. You do not need the cert to practice it. You need the habit.
Here is the uncomfortable question for any owner reading this: who still has the keys to your website from three designers ago? If you do not know, that is worth ten minutes. I do a free 24-hour audit at /audit, three real findings, yours to keep either way. If old access shows up in yours, I will tell you exactly whose seat to revoke first.
community rating
$ ls ./comments
sign in or create an account to rate and comment.
no comments yet, be first.