A Client Emailed You a Password—Here’s the Safe Cleanup Plan

Step 1 — Contain first (5 minutes)

• Don’t forward the email. More copies = more risk.
• Rotate the password immediately to a strong, unique one (use your manager). Need help with memorables? Read: How to Create Strong Passphrases You’ll Actually Remember.
• Enable/confirm MFA on the affected account.

Step 2 — Replace the delivery method (10 minutes)

• Send a one-time, expiring link with the new credential and share the access code by phone/SMS. How-to: The Safe Way to Share Passwords in 2025 (No Email).
• Verify the recipient out-of-band before they open anything. Link hygiene guide: Stop Phishing at the Source: Verify Links Like a Pro.

Step 3 — Clean up the mess (15–30 minutes)

• Delete the original email (after rotation) from your inbox and trash.
• Ask the client to delete the message from Sent Mail and Trash as well.
• Sweep related threads for other exposed secrets. Quick guide: Audit Your Old Messages for Leaked Secrets.

Step 4 — Prevent a repeat

• Share your “how we exchange passwords” one-pager with clients. Use this policy template: Secret-Sharing Policy Your Team Will Actually Follow.
• Teach the 3-step routine: one-time link → separate access code → quick phone confirmation.

Optional tools that help

• Password manager: Bitwarden 🔗 or 1Password 🔗 for unique, long passwords.
• Breach check: Verify exposure with Have I Been Pwned 🔗.

If the account may be compromised

Run a lightweight incident response right away: The Simple Incident Playbook for Leaked Passwords.

Bottom line

Rotate first, replace delivery with one-time links, clean up old copies, and teach clients the safer route. That turns a slip-up into a one-time lesson.

Secure One-Time Messages - Send confidential messages that self-destruct after being read once. Your privacy is our priority. →.