Skip to content
LitePassword
Sign in Get started — free
← All posts
May 18, 2026 securityteamshow-tocontractors

The safest way to share passwords with contractors

A practical pattern for giving short-term contractors access to specific credentials, then revoking cleanly when the engagement ends.

Quick answer. The safest way to share passwords with a contractor: (1) invite them to a zero-knowledge password manager as View only with their own account (never share yours), (2) put only the credentials they need into a dedicated vault — one vault per engagement scope, (3) grant per-vault access (Manage Vault Access), (4) on the agreed end-date, revoke their account in one click — vault keys rotate automatically, (5) for high-value credentials (API keys, deploys), rotate the underlying credential too. Total setup: ~3 minutes per contractor. Start free with LitePassword.

Why contractor sharing breaks the most teams

Contractors are short-term by definition. The pattern that works for permanent employees — “add them to the shared Slack channel, hand them everything” — is exactly what fails for contractors.

The specific failures:

  • You forget which credentials they had.
  • They keep saved logins in their browser after the engagement.
  • They have screenshots in their notes app.
  • You change the credential and forget to update the team.
  • Six months later you find their old account still has access.

A vault with per-engagement scope and one-click revoke fixes all of these by structure.

The pattern: per-engagement vault

For each contractor engagement, create or use one dedicated vault. Name it after the engagement scope, not the contractor — “Acme website launch” or “Q3 ad campaign”, not “Sarah’s stuff”.

In the vault, add only the credentials this engagement needs. If the contractor is building an ad campaign, they need Google Ads, Meta Business, and your design assets — they don’t need your Stripe or your AWS root.

Step-by-step setup

  1. Create the vault. Vaults page → New vault. Name it after the engagement.
  2. Add the credentials. Login, Password, or Custom secrets — whatever fits.
  3. Invite the contractor. Users page → Invite user, role = View only.
  4. Grant per-vault access. Manage Vault Access on their row → toggle on the one vault.
  5. Send them the in-app link. “Sign up at app.litepassword.com, your account will be ready.”
  6. They sign up, set their own master password, save their recovery key. They open the vault, use the credentials.

Total time: 3-5 minutes including the contractor’s signup.

During the engagement

  • They never see your other vaults. Cryptographically — their account doesn’t have the wrapped keys for other vaults.
  • They cannot create vaults, invite anyone, or change roles. View only role enforces this.
  • They cannot export. They can copy values one at a time from the vault, which is the same as any password manager but doesn’t allow bulk download.

End-of-engagement: the two-step close

Step 1 — Revoke their account. Users → row menu → Revoke Access. Their account is removed. The vault they had access to rotates its encryption key. Their cached ciphertext (if any) becomes undecryptable.

This step is instant and reversible. If you accidentally revoke, you can re-invite them — the new account is fresh, no carryover.

Step 2 — Rotate sensitive credentials. This is the step most people miss. Revoking vault access closes their ability to re-read the credential from the vault. It does not invalidate the credential itself.

If they used the credential value during the engagement, they might remember it (engineers especially). For high-value credentials — API keys, production passwords, anything that touches money — rotate the credential on the source tool after revoking.

For low-value credentials (a Canva login, a Mailchimp account), revoking vault access is usually enough.

A common variant: contractor with their own tools

Some contractors will say “I have my own password manager, just send me the credentials.”

Don’t. The whole point of the vault is per-engagement scope and clean revoke. If you send them the literal values, you’re back in the “now they have it forever, in their tool” world.

Compromise pattern: invite them to your vault as View only for the engagement. They can still use their own tool for their own credentials — but your shared engagement credentials live in your vault under your control.

What about contractors abroad?

Common with VAs, offshore engineers, contractors in different time zones. The vault is a web app that works from any modern browser, anywhere. No regional restrictions, no IP allowlist required (though you can layer one on individual credentials if you want).

The recovery key model is the same for them — they save their key locally. We never see it. If they lose it after the engagement, that’s their problem; your vault is unaffected.

Summary

  1. One vault per engagement, scope-named.
  2. View only role + per-vault access.
  3. Their own account, never shared.
  4. End-of-engagement: revoke vault access + rotate high-value credentials.

Create your free LitePassword vault →

Stop sharing passwords in Slack messages.

Create your account in under a minute. Pick a master password. We'll generate your recovery key for you.

Try LitePassword — free → See how vaults work