Best Practices for Securely Sharing Passwords with Virtual Assistants and Other Contractors
When working with virtual assistants (aka VAs), as well as other contractors, sharing passwords often feels unavoidable. However, this practice comes with risks. Shared passwords can be intercepted, compromised, or misused—especially after a contract ends.
Insecure credential sharing is one of the most common entry points for cybercriminals targeting small businesses. When passwords are shared via text messages, emails, or spreadsheets, you're essentially leaving the keys to your business in plain sight.
Business Constraints
I understand that as a small business owner, you're working with limited resources. You likely don't have a dedicated IT department or security professional on staff. Budget constraints make expensive security solutions impractical, and complex systems get abandoned in favor of convenience.
The reality is that if security measures are too complicated or time-consuming, you and your team will find workarounds that may compromise your security. This is especially true when working with virtual assistants who need quick access to multiple accounts to perform their duties.
You can create systems that protect your assets without hindering productivity.
Best Practices for Password Management
Password Managers
Password managers are game-changers for small businesses working with VAs and other contractors. These tools securely store and share passwords, eliminating the need to send credentials through unsecured channels like email or text messages. You don't need technical knowledge to choose a password manager; what matters more is your knowledge of your workflows.
With a password manager, you can do things like:
Let your VA use a password without letting your VA see or change the password
Generate strong, unique passwords for each account without having to remember them
Revoke passwords at any time
Onboard and offboard people for the duration of projects and contracts
Set up time-limited sharing for temporary access
Track who used which passwords and when (important for compliance)
There are a number of affordable solutions specifically designed for small businesses, such as LastPass, NordPass, 1Password, Keeper, and Bitwarden. Make a short list of how you work with your VAs, then take a look at the options and which matches up to your workflows the best.
Multi-Factor Authentication (MFA)
Multi-factor authentication adds an essential layer of security beyond passwords. When MFA is enabled, accessing an account requires both something you know (the password) and something you have (typically a mobile device that receives a verification code).
Even if a password is compromised, MFA can stop hackers in their tracks. This additional security layer is particularly important when working with virtual assistants who may be accessing your accounts from various locations and devices.
MFA options can include a physical device or an app (most common). Some password managers include the MFA option, rather than having to have a separate authentication app. Note that texting codes (SMS) is less secure than these other options. If you didn't see our previous post on MFA options, read it here.
Role-Based Access Control (RBAC)
Role-based access control ensures that your virtual assistants and other contractors only have access to the resources they need to perform their specific tasks. For example, a social media manager doesn't need access to your financial accounts, and a bookkeeper doesn't need your website admin credentials.
By implementing RBAC, you can:
Limit permissions to only the necessary digital resources
Set read-only or read/write privileges for different users
Control who can modify passwords or settings
Reduce the potential damage if any single account is compromised
Where do you set up RBAC? It can be where you create an account for your VA in an app, and also in your password manager.
Balancing Best Practices with Business Needs
Cost-Benefit Analysis
When considering costs, compare the cost of implementing security measures against the potential cost of a breach. Data breaches can be catastrophic for small businesses, including legal fees, customer notification costs, and reputational damage.
For perspective, implementing a password manager for a small team might cost a few hundred dollars annually, while the average cost of a data breach for small businesses can run into thousands or even tens of thousands of dollars.
Scalable Solutions
Look for security solutions that can grow with your business. Many password managers offer tiered pricing that scales with your team size, making them accessible even for very small businesses. (Don't let fear of picking "the wrong one" stop you -- if you find you need more features as you grow and change, you can always migrate to another password manager.)
Practical Tips
Here are some actionable steps you can take today:
What accounts do your virtual assistants access? Make a list.
How sensitive are they? Do they contain customer or financial information? Prioritize those.
Put in place a password manager for sharing passwords. Start adding the most important accounts to the password manager as you use them.
Enable MFA on all critical accounts.
Create clear offboarding procedures for when contracts end or other cases where you stop working with people.
Train your virtual assistants on basic security practices.
View security as an extension of your business expertise, not a separate technical domain. Trust your judgment, ask questions, and don't be afraid to seek guidance when needed.
Balancing password security with business reality when working with virtual assistants isn't about implementing perfect security—it's about finding practical solutions that protect your business without creating unnecessary friction. By using password managers, implementing MFA, and applying role-based access controls, you can significantly reduce your risk while maintaining productivity.
