Why You Should Stop Pasting Passwords in Slack

That DM from six months ago? Still there.

Security · 26 May 2026 · 6 min read

It happens fast

New contractor needs the staging database password. You open a DM, paste it, and move on. They copy it, set up their environment, and the conversation scrolls away. Nobody thinks about it again.

The password is still in that DM. It will be there next week, next quarter, and next year. Slack doesn't know the difference between a joke and a production credential. Both get the same treatment: indexed, stored, retained.

Slack's search index

Slack indexes every message within seconds of sending. That's the feature that makes it easy to find a thread from last Tuesday. It's also the feature that lets anyone in the channel type a service name into the search bar and find the credential you sent six months ago.

On Enterprise Grid plans, admins can search across all channels, including private ones and DMs. The password isn't just in the conversation where you sent it. It's findable by anyone with the right admin scope.

Workspace exports

Workspace owners can export every message from every public channel. On Business+ and Enterprise Grid, they can export private channels and DMs too.

When a company runs an export for legal review or a compliance audit, every password anyone ever pasted into Slack is in the output. The export is a collection of JSON files, typically stored on a shared drive or handed to outside counsel. A credential you sent to one person is now in a file that anyone on the review team can open.

Compliance archives

Many companies pipe Slack messages into a compliance archive in real time. Smarsh, Global Relay, and similar tools copy every message as it's sent.

Deleting the original Slack message doesn't touch the archive copy. The password now exists in two systems, and you only control one of them.

Device copies

Everyone in the channel has the message on their device. Mobile backups, laptop disk images, corporate backup agents. You can't recall a Slack message from someone's iCloud backup.

If one of those devices is compromised, the attacker gets everything the Slack app had cached, including the password you sent months ago and forgot about.

What that adds up to

A single password pasted into Slack can end up in:

  • The channel search index
  • A workspace export on a shared drive
  • A compliance archive you don't manage
  • The device backups of everyone in the conversation

Rotating the password fixes the access problem. It doesn't remove the old credential from any of those places.

Teams and Discord have the same problem

This isn't specific to Slack. Microsoft Teams stores messages in Exchange Online, subject to eDiscovery holds and compliance exports. Discord stores every message permanently, and server exports include DMs.

Any messaging tool that retains history has the same shape of problem. The credential persists for as long as the platform keeps data, which is usually forever.

What to do instead

Send a link that stops working after it's opened. The password gets to the person who needs it. Then the link is dead. What remains in the Slack channel is a URL that points to nothing.

Secret.Broker encrypts the password in your browser before anything leaves your machine. The decryption key lives in the URL fragment, the part after the #, which browsers never send to servers. When the recipient opens the link, the encrypted payload is deleted from storage.

The password existed in exactly two places: the sender's browser and the recipient's browser. Nowhere else. Not in a search index, not in a compliance archive, not in a backup.

For a step-by-step walkthrough, see how to share passwords securely.

← Back to all articles
Share a Password