In marketing/web ops your team members often need to trust you with their digital keys. Are you doing all you can to educate them on best practices and keep their credentials safe? How securely we receive them, store them, or share them internally is ops 101.
Modern marketing campaigns are multi-touch by default: social, web, landing pages, microsites, shopping carts, ad platforms, and more. Each requires credentials — often the same ones that can unlock serious financial or reputational damage if mishandled. Yet it’s still common for clients to email passwords in plain text, sometimes using the same password everywhere. We need to do better; for them, and for ourselves.
Start with education
When a client sends login credentials by email, that’s not a convenience, it’s a security breach waiting to happen. Our role includes educating clients on secure sharing methods and modeling best practices internally.
I once asked a colleague to text me a password separately from the username for added safety. Instead, I received both in the same email. Her password? Her first name. After a quick lesson on password hygiene, she updated it… to her first name plus “1234.” It turned out to be the same password used across her PayPal, hosting account, email, and social media. I sighed, changed it myself, and texted her a new one. That was a teaching moment — and a reminder of how differently people define secure.
Most breaches don’t involve someone guessing your password; they happen when credentials are stolen during a data leak. If your email and password combo was ever exposed — say, in the massive Adobe or LinkedIn breaches — and you reused that password elsewhere, attackers now have the keys to your kingdom.
When we request credentials from clients without offering a secure way to deliver them — and worse, forward those emails internally — we multiply the risk. Here’s how we can help change the status quo.
Nine ways to handle credentials responsibly
-
Use secure channels
If clients must send credentials, keep usernames and passwords separate — for instance, username by email and password by text or secure messaging. Better yet, use an encrypted file or password manager share link. Nothing is bulletproof, but even small steps make interception harder.
-
Encourage password managers
Tools such as 1Password, Bitwarden, and LastPass Business allow secure password sharing without exposing plain text. Teach clients to generate strong, random passwords and revoke access once the project is complete. All of these tools will auto-generate the passwords as well, so the user doesn’t have to tax themselves with complex creativity.
-
Use patterns carefully
If your client insists on memorizing passwords, help them build a pattern system that’s unique per site. For example:
%^s9idErT#@is a simple pattern that incorporates uppercase, lowercase, numbers, and symbols — and changes per domain. Just don’t let anyone believe “Anna1234” is complex.
-
Try the phrase trick
Turn a phrase into a password by using the first letter of each word:
“I think Amazon.com is a wonderful 1st rate site!” becomesItA.comiaw1strs!.
Long, unique, and easy to remember — perfect. -
The longer, the better
Length trumps complexity. Aim for at least 12 – 16 characters. Password managers can generate 20+ without a pause — there’s no reason to stay short anymore.
-
Avoid names and obvious words
Skip pets, kids, partners, and birthdays. If it’s on social media, it’s public knowledge. “OscarTheBoxer2025” isn’t fooling anyone.
-
Mix it up
Combine uppercase, lowercase, numbers, and symbols. Most modern systems allow:
` ~ ! @ # $ % ^ & * ( ) _ - + = { } [ ] | : ; " ' < > , . ? / -
Randomly lie on security questions
If a site asks for your mother’s maiden name, don’t use her real one — use “JimmyChoo.” Your first car? “RollerSkates.” Be creative; nobody said security can’t be fun.
-
Store smartly
If you must store credentials, keep usernames and passwords in separate encrypted files, avoid naming any document passwords, and review access regularly. Rotate passwords quarterly and require two-factor authentication wherever possible.
Remember: Cybersecurity isn’t just your IT team’s job — it’s a brand trust issue. One leaked password can undo years of credibility.
Editor’s note: I wrote this article some time ago — but the principle hasn’t changed. This lightly updated version reflects current tools and practices while keeping the same lessons intact.
AI disclosure: This content was originally written by me and later updated with assistance from OpenAI’s GPT-5 for light editing, fact-checking, and modernization. Every word has been reviewed and approved by a human — specifically, me — before publication.
Security ops checklist
Keep this next to your keyboard — or better yet, run through it quarterly.
- 🔑 Credential handling. Never store passwords in email or chat. Use a password manager with access logs.
- 🧩 Access control. Grant the least privilege needed — and revoke access when projects end.
- 📱 Multi-factor authentication. Enable MFA on every account that supports it — no exceptions.
- 📁 Secure sharing. Exchange credentials only through encrypted vault links or enterprise tools such as Bitwarden Teams or 1Password Business.
- 🔍 Internal education. Train staff quarterly on phishing awareness and credential hygiene.
- 💾 Backup policy. Keep redundant, encrypted backups of all client data and configuration files.
- 🧹 Audit trail. Track who accessed what and when — transparency protects everyone.
- 🕓 Rotation schedule. Change shared passwords every 90 days (or immediately after turnover).
- 🚨 Incident plan. Have a response protocol for breaches: who to notify, how to secure, and how to recover.
Security isn’t a feature — it’s a habit.
