The Password That Never Dies
You share a Wi-Fi password with a new colleague in Slack. Six months later they leave the company. A year after that, your Slack workspace is breached β or an ex-employee still has access to their account. That password is still sitting in your chat history, readable to anyone who finds it.
This isn't a hypothetical. It's how credential theft actually works in practice. Slack message history is a goldmine for attackers precisely because people treat it like a private conversation when it's closer to a searchable database.
Why Slack Is a Bad Place for Passwords
1. Messages are stored indefinitely (on paid plans)
On Slack's paid tiers, message history is retained for as long as you pay. That password you sent in 2021 is still there. Your organisation may have a retention policy, but most don't β and even if they do, deletion isn't guaranteed.
2. Workspace admins can read everything
Slack admins and owners can export message history, including direct messages on some plans. If you're sending passwords to a colleague via DM, you're not in a private channel β you're in a channel that your IT admin or workspace owner can access.
3. Account compromise exposes your entire history
If any user account in your workspace is compromised β through phishing, credential stuffing, or a data breach at another service where they reused their password β the attacker has access to everything that user could see. Including any passwords you've ever sent them.
4. Slack isn't end-to-end encrypted
Unlike Signal or WhatsApp, Slack messages are not end-to-end encrypted. Slack (the company) can read your messages, and any breach of their infrastructure could expose your data. Their 2015 breach is well-documented. Assume it can happen again.
5. Integrations and bots can read messages too
Every third-party Slack app you've authorised β project management tools, notification bots, customer support integrations β may have access to message history in the channels they're added to. That's a wide potential exposure surface.
The Same Problem Applies to Email
Everything above applies equally to email, with the added issue that copies of your message sit on multiple servers: yours, your recipient's, any mail relay in between, and potentially email security gateways that archive everything. The average corporate email archive goes back years.
Sending a password via email is essentially writing it on a postcard and filing it in a library.
What to Do Instead: One-Time Links
The fix is simple and takes about 30 seconds. Instead of typing the password into Slack or email, create a one-time secret link:
-
1
Go to onesecret.fyi
No account, no signup. Just open the page.
-
2
Paste your password or secret
Type or paste the sensitive information into the text field. add a password for extra protection.
-
3
Create the link
Your browser encrypts the secret locally before sending anything. The server never sees the plaintext.
-
4
Share the link via Slack, email, or any channel
The link itself is safe to share over insecure channels β it's useless without the decryption key, which is embedded in the URL and never sent to any server.
-
5
The secret self-destructs after viewing
Once your recipient opens the link, the secret is permanently deleted. What's in your Slack history is just a link to something that no longer exists.
Now your Slack history contains a dead link, not a live credential.
What About Password Managers?
Password managers like 1Password, Bitwarden, and LastPass have sharing features and are excellent for ongoing credential management within teams. For one-time sharing β sending a credential to a contractor, a new employee, or someone outside your organisation β a one-time link is simpler and leaves no persistent record on either end.
The two approaches complement each other well: use a password manager for credentials your team shares long-term, and use a one-time link when you need to hand a secret to someone once.
Good Security Doesn't Have to Be Complicated
The reason people share passwords in Slack is that it's fast. The fix has to be just as fast, or people won't use it. Creating a one-time secret link takes about 30 seconds and requires no setup, no app install, and no account. That's the bar security tooling needs to clear to actually change behaviour.
Client-side encrypted. Self-destructing. No account required. Create a secret link β
Frequently Asked Questions
Can Slack admins read my direct messages?
On Slack's Business+ and Enterprise Grid plans, workspace owners can apply to export DM history. On free and Pro plans the export tool only covers public channels, but Slack itself (the company) retains access to all message data. For practical purposes, treat all Slack messages β including DMs β as readable by your organisation's administrators.
Is sharing a password over Signal or WhatsApp safe?
Signal is end-to-end encrypted and messages aren't retained on Signal's servers, making it considerably safer than Slack or email for sharing sensitive information. The residual risk is that the message persists on both devices until manually deleted. A one-time link removes that persistence: once viewed, there's nothing left on either end.
What if someone intercepts the one-time link before my recipient opens it?
If the link is viewed by an attacker first, your recipient will see that the secret has already been accessed β which is itself a warning signal.
Does OneSecret keep any logs?
No. OneSecret stores only the encrypted ciphertext and associated metadata (expiry, view count). There are no analytics, no tracking cookies, and no logs of what secrets were created or when they were viewed. The server cannot read the content of any secret.
What should I do about passwords I've already shared in Slack?
If you've shared sensitive credentials in Slack, the safest course is to rotate those credentials β generate new passwords, API keys, or tokens and invalidate the old ones. Going back and deleting the original messages is good hygiene but doesn't guarantee the data wasn't already exported or cached somewhere.