Your team needs a login. Someone types it in an email and hits send. Five minutes later, it's on three devices, sitting unencrypted in inboxes and sent folders, exposed to anyone who compromises that email account. This happens dozens of times a day in most organizations. Email was never designed to handle secrets, and it still hasn't gotten any more secure.
How email exposes credentials
When you send an email with a password, several things happen. The message travels across the internet in plain text (TLS encryption only protects the connection between servers, not the content itself). Once it arrives, the password sits unencrypted in your mailbox and the recipient's inbox, often indefinitely. Someone forwards the email to a colleague. That same colleague forwards it to someone else. A year later, you clean up your inbox and find it again.
Any compromise of either email account (which is extraordinarily common) exposes every password ever sent through it. An attacker with access to your mailbox can screenshot those credentials and use them immediately. They can also see the exact moment you changed a password if you resent it. The sent folder becomes a literal inventory of secrets.
Texting passwords is equally risky
Text messages feel more private, but they're often less secure than email. Messages sync across devices, live in cloud backups, and persist for years. They're also harder to audit. If a phone is stolen or compromised, the attacker gets the password and no record that you sent it.
What to use instead
Use your password manager's secure sharing feature. Tools like 1Password allow you to share credentials with team members or clients without revealing the actual password. The recipient clicks a link, sees the credential, and never has to store or forward it. The share can expire automatically. You can revoke access anytime.
For non-sensitive but still important information, use a dedicated secure messaging platform with message expiration. For one-time access or onboarding, consider a tool designed specifically for credential delivery.
Make it a habit
The shift costs nothing and takes no additional time. It's a behaviour change, not a technology purchase. Set a rule: credentials never travel by email or text. Train your team to default to password manager sharing. Make it easier to do the right thing than the convenient thing.
This single habit reduces your risk dramatically. It removes an entire vector for credential compromise. It also means your team isn't scrambling to change passwords six months later when you discover an email with an old one still sitting in someone's mailbox.