Share Passwords Safely in Microsoft Teams
Pasting a password into Microsoft Teams chat looks harmless, but the message sticks around: retention policies keep it for months or years, Microsoft Purview indexes it, and eDiscovery makes it searchable by compliance officers. Every credential pasted in Teams is a long-lived secret waiting to leak. 1time.io solves this by turning any password, API key, or file into a one-time encrypted link you can safely drop into any Teams chat, channel, or meeting.
Retention-safe
Teams retains the link, not the password. Once read, the secret is destroyed on our server, so retained messages point to nothing.
eDiscovery-safe
Purview and eDiscovery can index the URL all they want โ the decrypted secret never existed on any Microsoft server.
Preview-safe
The Teams link unfurl hits a landing page with an explicit "Read and consume" button. Preview bots do not burn the secret.
Zero-knowledge
The decryption key stays in the URL fragment. Microsoft, your IT admin, and 1time.io all see ciphertext only.
Why you should never paste passwords into Teams chat
Microsoft Teams is convenient, but its architecture is the opposite of what a shared secret needs. Chat messages are stored according to the tenant's Teams retention policy โ often for the life of the user account. Microsoft Purview eDiscovery indexes every message for compliance search. Global admins, compliance officers, and anyone with eDiscovery rights can read Teams DMs, including ones you deleted. Messages you send to a channel persist in the channel's SharePoint site. If a tenant is ever compromised, every password ever pasted in Teams is trivially harvestable.
A one-time encrypted link inverts the problem. The Teams message contains only a URL. The actual secret lives โ briefly โ on 1time.io in ciphertext form, gets read once, and is destroyed. Anyone reading the retained Teams message after that moment (auditor, admin, attacker) sees a dead link with no way to recover the plaintext.
How the Teams workflow works
- Paste the password into the form above and click "Create secret link". Encryption happens in your browser with AES-256-GCM before anything leaves your device.
- Copy the link and drop it into any Teams chat, channel post, or meeting chat.
- Teams renders a preview with a "Read and consume" call to action โ no secret is revealed to the preview bot.
- The recipient clicks through, confirms they want to read, and the secret is shown exactly once.
- The server deletes the encrypted payload. The retained Teams message now points to a link that will never work again.
When to use one-time links inside Teams
- Onboarding a new hire โ send initial credentials for VPN, ERP, or admin tools in their welcome Teams chat.
- Rotating a shared service account password across the team without leaving 30 copies in channel history.
- Sharing an API key or token with a dev in another squad through their Teams DM.
- Handing off a kubeconfig or .env file via secure file sharing dropped into a Teams channel.
- Vendor or client handoffs where an external Teams guest needs a one-time credential.
- Break-glass / incident response โ share root credentials in the incident Teams channel without burning them into permanent history.
How one-time links support compliance controls
Many security and privacy frameworks expect organisations to minimise plaintext credential exposure in communication tools. GDPR Article 5 emphasises data minimisation. SOC 2 CC6 and ISO 27001 Annex A.10 focus on access control and cryptography for secrets. NIS2 raises the bar further for risk reduction and operational resilience. Pasting a password into Teams chat creates a persistent, discoverable copy that can work against those control goals.
Replacing plaintext-in-chat with one-time encrypted links can be a useful control for secret handling. 1time.iostores ciphertext, deletes it after a single read, requires no account, and is open source so your security team can review the implementation. Whether that satisfies your organisation's compliance obligations still depends on your wider controls, governance, and legal review.
Teams alternatives we compare to
Microsoft's own suggestion for sharing secrets inside Teams is usually "use a password manager." That's the right tool for ongoing shared access inside a team โ but it requires both parties to have accounts in the same vault. For one-off handoffs across team boundaries, tenants, or with external guests, a one-time link is faster and leaves no long-term copy anywhere.
Frequently asked questions
Is it safe to send passwords in Microsoft Teams chat?
No. Teams messages are retained according to your tenant's retention policy (often years), indexed by Microsoft Purview, and discoverable through eDiscovery. Global admins and compliance officers can read the plaintext. Even after you delete a message, copies persist in compliance archives and backups. A password pasted into Teams chat is effectively a long-lived credential leak.
How does a one-time link fix the Teams retention problem?
The Teams message only contains a URL โ not the password itself. Retention captures the wrapper, not the secret. After the recipient opens the link once, the encrypted payload is permanently deleted from 1time.io servers. Anyone reading the retained Teams message later (auditors, admins, attackers who compromise the tenant) just sees a dead link.
Does the Teams link preview burn my one-time secret?
No. Microsoft Teams fetches link previews, but 1time.io shows an explicit "Read and consume" button on the recipient page. The preview bot sees the landing page, not the decrypted secret. The secret is only revealed when a human clicks the button, so Teams unfurls are safe.
Can my Teams admin or IT see the password I share through 1time.io?
No. The password is encrypted in the sender's browser with AES-256-GCM before it leaves the device. The decryption key lives in the URL fragment (the part after #), which browsers never send to servers. Your Teams admin sees the link in chat history but cannot decrypt the content.
Can this help with GDPR, SOC 2, and ISO 27001 controls?
One-time links can support data-minimisation and secret-handling controls under frameworks such as GDPR, SOC 2, and ISO 27001 because the secret is encrypted in the browser, shared as a link, and deleted after one read. Whether your organisation is compliant still depends on your broader policies, retention settings, access controls, and legal review.
Can I add an extra passphrase on top of the Teams link?
Yes. When you create the link, set an optional passphrase and send it through a different channel (voice call, SMS, another Teams chat). The recipient needs both the link and the passphrase to decrypt. This defeats anyone who only has access to the Teams message.
What about sharing API keys, certificates, or config files through Teams?
The same workflow works for any text secret (API keys, tokens, connection strings) via the text sharing form, and for files up to 10 MB (certificates, .env files, kubeconfig, PDFs) via secure file sharing. Drop the one-time link in Teams chat instead of pasting or attaching the raw content.