Blog/Management & Scaling

Password Management for Virtual Assistants: Policies and Tools

VirtualAssistantVA Team·

Password Management for Virtual Assistants: Policies and Tools

Sharing passwords with a virtual assistant is one of the most common - and most mishandled - aspects of VA security. Done wrong, it creates serious vulnerabilities. Done right, it's a manageable part of a secure working relationship.

See also: data security best practices for VAs, 2FA setup for VA accounts, secure access setup for virtual assistants.

The Password Sharing Problem

Most business owners handle VA password sharing one of three ways:

  1. Email the password - Insecure, creates a permanent record, hard to revoke
  2. Use the same password for everything - Catastrophic if one account is compromised
  3. Give the VA their own login - The right approach, but only sometimes possible

The goal is to give your VA the access they need to do their job without creating uncontrolled exposure to your accounts.

Option 1: Give VAs Their Own Named Accounts (Best)

Whenever a platform supports multiple users, create a named account for your VA rather than sharing your credentials:

  • Google Workspace: Add the VA as a user on your domain ([email protected])
  • CRMs (HubSpot, Salesforce): Create a user account with appropriate role permissions
  • Project management (Asana, ClickUp, Notion): Invite as a member
  • Social media (Buffer, Hootsuite): Grant access through the tool's team features
  • E-commerce (Shopify, WooCommerce): Create a staff account with limited permissions

This approach gives you:

  • Individual audit trails showing exactly what the VA accessed
  • Easy access revocation upon offboarding (just deactivate their account)
  • No password sharing required

Option 2: Use a Password Manager With Sharing (Second Best)

When named accounts aren't possible (shared social profiles, some website backends, third-party tools), use a password manager to share credentials securely:

Recommended Password Managers for Teams

1Password Teams

  • Share specific passwords via "vaults" - the VA gets access without seeing the password itself
  • Revoke access to specific credentials without changing passwords
  • Full audit log of who accessed what and when
  • Cost: ~$4/user/month

LastPass Business

  • Shared folders for team credentials
  • Can share without revealing the actual password
  • Activity monitoring

Bitwarden Organizations

  • Open-source option with strong security record
  • Collections-based sharing
  • Cost-effective for small teams (~$3/user/month)

Dashlane Business

  • Secure sharing with permission levels
  • Dark web monitoring included

What to Never Do

  • Never send passwords via email, text, or Slack/Teams messages
  • Never use the same password for multiple accounts
  • Never share your master password for any account
  • Never store passwords in a shared Google Doc or spreadsheet

Setting Up Password Management With Your VA

Step 1: Choose a password manager (1Password Teams or Bitwarden recommended for small businesses)

Step 2: Create a shared vault or collection for credentials your VA needs

Step 3: Add only the passwords they need - apply least-privilege access

Step 4: Share vault access with your VA's account - they can use the credentials without seeing them if the tool supports hidden sharing

Step 5: Document which passwords they have access to, with a review date

Step 6: At offboarding, revoke VA's access to the shared vault immediately

Password Policy Requirements for Your VA

Include these requirements in your data handling policy or contractor agreement:

  • Must use a password manager for all business account passwords
  • Must not reuse passwords across business accounts
  • All business passwords must be unique and generated by the password manager (not chosen manually)
  • Must enable 2FA on all accounts that support it
  • Must report any suspected account compromise immediately
  • Personal passwords must never be used for business accounts

Account-Specific Access Reviews

Quarterly, review which accounts your VA has access to:

  • Are they still using all these accounts for current tasks?
  • Has their role changed, requiring different access?
  • Are there accounts they were given access to that are no longer needed?

Remove access to anything not actively needed. This limits exposure if the VA's own account or device is ever compromised.

Frequently Asked Questions

Can I just give my VA my own login credentials?

You can, but it's not recommended. You lose audit trail (you can't distinguish their activity from yours), it makes revocation harder, and if you change the password, you disrupt their access. Named accounts or password manager sharing are better options.

What if a platform only allows one user?

Use a password manager with the ability to share access to the credential without revealing the password (1Password, LastPass, Bitwarden all support this). The VA can log in without ever seeing your actual password.

How do I revoke access when the engagement ends?

For named accounts: deactivate or delete the account. For shared passwords: remove the VA from your password manager vault, then change any passwords they had direct access to. Do this on the last day of the engagement.

Ready to Hire Securely?

Virtual Assistant VA connects you with professional, vetted VAs. Set up secure access from day one.

Related Articles

Need Help With This Exact Workflow?

Get matched with a VA service aligned to this topic in as little as 24 hours.

Get Free Consultation

Ready to Hire a Virtual Assistant?

Let a dedicated VA handle the tasks that slow you down. Get matched in 24 hours.

Get Free ConsultationMore Articles