Why You Shouldn't Share Passwords in Slack

They stay there longer than you think.

Slack stores every message

You paste a database password into a channel so a contractor can set up their local environment. They copy it. The conversation moves on. The password stays.

Slack doesn't distinguish between a joke and a production credential. The password is in the search index within seconds. Anyone in that channel can find it today, next month, or two years from now.

Workspace exports

Workspace owners can export every message from every public channel. On Business+ and Enterprise Grid plans, they can export private channels and DMs too.

When a company runs an export for legal review or a compliance audit, every password anyone ever pasted into Slack is in the output. The export is a set of JSON files, usually stored on a shared drive or handed to outside counsel. A password you sent to one person is now in a file that anyone on the review team can open.

Search indexing

Slack indexes every message for search. That's useful for finding a thread from last week. It also means anyone in the channel can type a service name into the search bar and find the credential you sent six months ago.

On Enterprise plans, admins can search across all channels, including private ones. The password isn't just in the channel where you sent it. It's findable by anyone with the right search scope.

Compliance archives

Many companies pipe Slack messages into a compliance archive. Smarsh, Global Relay, and similar tools copy every message in real time.

Deleting the original Slack message doesn't touch the archive copy. The password now exists in two systems, and you only control one of them.

Device copies

Everyone in the channel has the message on their device. Mobile backups, laptop disk images, corporate backup agents — they all contain it. You can't recall a Slack message from someone's iCloud backup.

What this adds up to

A password pasted into Slack can end up in the channel search index, a workspace export on a shared drive, a compliance archive you don't manage, and the device backups of everyone who was in the channel. Rotating the password fixes the access problem. It doesn't remove the old credential from any of those places.

Teams and Discord have the same problem

This isn't specific to Slack. Microsoft Teams keeps messages in Exchange Online, subject to eDiscovery holds and compliance exports. Discord stores every message permanently, and server exports include DMs.

Any messaging tool that retains history has the same issue. The credential persists for as long as the platform keeps data, which is usually forever.

What to do instead

Send a link that stops working after it's opened. The password gets to the person who needs it, and then the link is dead. What remains in the Slack channel is a URL that points to nothing.

Secret.Broker encrypts the password in your browser before anything reaches the server. The decryption key is in the URL fragment, the part after the #, which your browser never sends. When the recipient opens the link, the encrypted data is deleted.

For a step-by-step walkthrough, see how to share passwords securely. The same approach works for API keys and any other credential that shouldn't sit in a chat log.

Share a Password