At some point, almost every business owner working with a virtual assistant faces the same moment: you need your VA to have access to your email, social media, or other tools — and you're not quite sure how to share that access safely. Sending passwords over email or Slack feels risky. Writing them in a shared doc is worse. But the alternative isn't to hand over your master password — it's to use the right tools.
This guide covers every secure method for sharing credentials with your virtual assistant, plus what to avoid.
Why Password Security Matters for VA Relationships
When you share a password with your VA, you're extending trust. But trust alone isn't a security strategy. Consider what's at risk:
- Email access contains confidential client communications
- Social media accounts represent your brand
- Ad platform accounts can spend significant amounts of money
- CRM access holds customer personal data
- Financial tools contain sensitive business information
A compromised account — whether through a security breach, a disgruntled VA, or simple carelessness — can cause significant business damage. Secure password sharing is about protecting yourself, your clients, and your VA too.
What to Never Do
Before covering the right methods, here's what to avoid:
- Email: Emails persist in inboxes indefinitely and are vulnerable to breaches
- Slack or messaging apps: Messages can be accessed by others and are not encrypted end-to-end by default
- Google Docs or shared spreadsheets: Anyone with the link can see them; they're not designed for credential storage
- Sticky notes or text files: No encryption, no access control
- Verbal communication on video calls: No record, easy to mishear or mistype
The Right Method: Password Managers
A dedicated password manager is the only secure way to share credentials. These tools store passwords in encrypted vaults and let you share access without revealing the actual password.
LastPass
LastPass offers a Shared Folder feature in paid plans that lets you share groups of credentials with specified users. Your VA gets access through their own LastPass account and can log in to sites — but can never view or copy the underlying password.
When the relationship ends, simply remove them from the shared folder. All access is revoked instantly.
1Password
1Password uses Vaults for credential organization. You can create a dedicated VA vault and invite them to it with view-only access, meaning they can use the passwords but not see or export them. 1Password's Travel Mode and granular permission settings make it a top choice for professional teams.
Bitwarden
Bitwarden is open-source and offers a free tier with sharing capabilities. Its Organizations feature allows you to share password collections with teammates. It's a great cost-effective option for small businesses and solo entrepreneurs.
Keeper
Keeper offers strong team-sharing features with detailed audit logs showing exactly who accessed which credentials and when. Useful if you want visibility into credential usage.
Setting Up Shared Access: Step-by-Step
Here's the general process regardless of which password manager you choose:
- Create an account for your VA (or ask them to create one with their own email address)
- Create a dedicated folder or vault specifically for VA access — don't share your entire password vault
- Add only the credentials your VA needs for their specific role
- Invite them with the appropriate permission level (use-only or limited access where available)
- Send the invitation through the password manager's built-in sharing mechanism
- Confirm they've set up their account and can access the shared credentials
This entire process takes about 15 minutes and provides ongoing protection for all shared credentials.
Platform-Specific Access: Don't Always Need the Password
For many platforms, you can grant access without sharing a password at all. Use native permission systems whenever available:
- Meta Business Manager: Add your VA as a partner or team member with specific account access
- Google Workspace: Create a separate account for your VA under your business domain
- Google Analytics: Add them as a user with view or analyst permissions
- Shopify: Create a staff account with selected permissions
- Buffer / Hootsuite / Later: Add them as a team member within the platform
This approach is often better than password sharing because access is tied to their own account, you can see their activity, and revoking access is instant and clean.
Two-Factor Authentication Considerations
If your accounts use two-factor authentication (2FA) — and they should — you need a plan for how your VA handles the second factor.
Options:
- Authenticator apps with shared codes: Some password managers (like 1Password) can store and share TOTP (time-based one-time password) codes alongside credentials
- Backup codes: Generate and store backup codes in your password manager for your VA to use
- Trusted device registration: Register your VA's device as trusted on specific platforms if the platform supports it
Avoid texting 2FA codes to your VA. This creates a bottleneck and is less secure than using a proper authenticator.
When Offboarding: Revoke Access Immediately
When your VA relationship ends, credential offboarding is just as important as the initial setup. On the same day:
- Remove them from all shared password manager folders
- Change any passwords that were shared directly (outside the manager)
- Remove platform-specific user accounts
- Revoke any API keys or integration tokens they had access to
- Check for any saved sessions on shared devices
For a broader offboarding and security checklist, see our guide on virtual assistant security and data protection.
Building a Password Policy for Your Team
If you're working with multiple VAs or building a team, document your password policy in your onboarding materials. It should cover:
- Required password manager (specify which one you use)
- Password strength requirements for any accounts they create
- Prohibition on storing business passwords outside the approved manager
- Process for requesting access to new tools
- Reporting process for suspected security incidents
A clear policy removes ambiguity and sets professional expectations from the start.
Ready to Hire?
Secure credential management is a foundational part of any professional VA relationship. Ready to hire a virtual assistant? Virtual Assistant VA connects you with trained VAs who specialize in professional, secure remote work — so you can delegate with confidence knowing your accounts are protected.