Secure Client Onboarding for Agencies and Freelancers (Checklist)

Why onboarding is where leaks often start

Day one is chaotic. People email passwords, forward old threads, or drop files into permanent folders. A simple checklist keeps you fast and safe.

Credential requests (the safe way)

• Prefer account invites (add your user with least privilege) over sharing a client’s personal login.
• If credentials are required, use a one-time, expiring link with an access code sent via a different channel. How-to: The Safe Way to Share Passwords in 2025 (No Email).
• Zero-knowledge tools for delivery so providers can’t read the content. Primer: Zero-Knowledge Sharing.

Sender and link verification

• Out-of-band confirmation for anything involving money or admin rights—call a known number.
• Run the CORE routine on all links (copy → inspect domain → expand shortlinks). Guide: Verify Links Like a Pro.

Storage and rotation

• Password manager for all client credentials, tagged by client/project.
• Strong passphrases for any master keys you must remember. How to build: Create Strong Passphrases.
• Rotate credentials after first login and at project handoff/closure. Incident playbook: Leaked Passwords Playbook.

File and asset transfer

• Documents: deliver via expiring links, not long-lived folders. See: Share Sensitive Photos and Documents Safely.
• Wi-Fi on site: use a Guest SSID with QR code and rotation. How-to: Share Wi-Fi Credentials Securely.

Copy/paste onboarding checklist

• [ ] Use invites/least privilege wherever possible
• [ ] For credentials: one-time link + separate access code
• [ ] Verify sender and links out-of-band
• [ ] Store in password manager (tagged by client)
• [ ] Rotate after first login and at handoff
• [ ] Deliver files via expiring links; avoid permanent folders
• [ ] Use guest Wi-Fi with isolation and rotation when on site
• [ ] Share the incident playbook with the client

FAQ

Clients insist on emailing passwords—what now?
Reply with a one-time link option and explain that email creates permanent archives. Offer to call and share the access code verbally.

What if the client’s account won’t allow invites?
Use shared credentials as a last resort: rotate after first login and again at project end.

Related reading

Delivery without inbox trails: The Safe Way to Share Passwords in 2025 (No Email)

Link hygiene that prevents phishing: Verify Links Like a Pro

File transfer basics: Share Sensitive Photos and Documents Safely

Bottom line

A little structure prevents most leaks. Invite first, verify senders and links, deliver secrets via one-time channels, and rotate at handoff. That’s secure onboarding without the drama.

Secure One-Time Messages - Send confidential messages that self-destruct after being read once. Your privacy is our priority. →.