Sharing passwords with virtual assistants is unavoidable. They need access to your email tools, social media accounts, CRMs, scheduling software, and more. The problem is that most business owners handle this insecurely - pasting credentials into Slack messages, storing them in Google Docs, or just emailing login details. Any of these methods is a serious security risk.
A password manager built for team sharing solves this entirely. LastPass and 1Password are the two most widely used options for business teams. Both let you share credentials without revealing the actual password, revoke access instantly, and maintain an audit trail of who accessed what. Here's how to use them safely with a VA.
Why You Should Never Share Passwords Directly
Before getting into setup, it's worth understanding why the casual approach is dangerous. When you paste a password into Slack, it exists in multiple places: the chat history, potentially multiple devices, and any backups Slack stores. If your VA's account is compromised, so is yours. If you later offboard that VA, the credentials don't automatically change.
Beyond the breach risk, there's a control problem. When a VA has a password written down or saved in their browser, you lose the ability to revoke access without changing the password entirely - which then breaks access for every other tool or person using that credential.
A password manager breaks this dependency. The VA accesses the account through the manager. You revoke the share, and access is gone immediately, without changing the password itself.
Setting Up LastPass for a Virtual Assistant
LastPass Business offers folder-based sharing, which is ideal for VA teams. Start by creating a Shared Folder for each VA or each client. Organize credentials inside those folders by category - Social Media, Email Tools, CRM, Client Logins - so VAs can find what they need without scanning through everything.
When you share a credential with a VA, LastPass gives you the option to share without allowing the recipient to see the password. Enable this setting for every login you share. The VA can use the credential - LastPass autofills it - but they cannot read, copy, or export it. This is the single most important security setting to use.
Assign folder access to VA accounts with the minimum permissions needed. If a VA handles only social media, they shouldn't have access to your banking or CRM credentials. Compartmentalization limits exposure if any one account is compromised.
Use the LastPass security dashboard regularly to check for weak or reused passwords on shared accounts. A VA inheriting access to a five-year-old account with a weak password is a liability you need to address.
Setting Up 1Password for a Virtual Assistant
1Password Teams and Business use a Vault system rather than folders. Create a separate vault for each client or functional area, and invite your VA to only the vaults relevant to their work. The permissions structure in 1Password is granular - you can set a vault to allow view-only, allow filling (autofill without viewing passwords), or allow editing.
For VAs, the "view and fill" permission level is usually correct. They can use the credentials but cannot copy the password to an external location. 1Password's Travel Mode is a bonus feature worth knowing: it lets you hide specific vaults when a vault member is traveling, useful if you have any concern about physical device access.
1Password's activity log (Business plan) records every time a credential is viewed or used. If you ever suspect unauthorized access, you can audit exactly what happened. This transparency is valuable when managing multiple VAs across multiple clients.
Both LastPass and 1Password support emergency access procedures - designate a recovery contact in case a primary account is locked out. Set this up before you need it.
Offboarding a VA - Revoking Access Cleanly
Offboarding is where password managers prove their full value. When a VA's contract ends, you should be able to revoke all access in under five minutes. In LastPass, remove the VA from all shared folders. In 1Password, remove them from all vaults. Their access is gone immediately across every device they were using.
After offboarding, run an access audit: log into each platform the VA had access to and check for any saved sessions or connected apps. Revoke any active sessions in the account settings of high-priority platforms like email, social media, and payment tools.
Rotate passwords for any credentials the VA had extended access to, even if you used the "hide password" sharing setting. This is a best practice for any offboarding, not just VA-specific situations.
Additional Security Habits for VA Teams
Enable two-factor authentication on the password manager accounts themselves. If your LastPass or 1Password account is compromised, every credential inside it is exposed. A VA's personal account should also have 2FA enabled before they're given access to shared credentials.
Avoid sharing your own master account with a VA. Instead, create a separate 1Password or LastPass account for each VA and invite them to the relevant vaults or folders from your admin account. This keeps credential access tied to individual identities, not shared logins.
Review shared credentials quarterly. Over time, VAs accumulate access to tools they no longer use. A periodic audit keeps your shared access list clean and minimizes your attack surface.
Ready to Build Your VA-Powered Tech Stack?
Secure credential management is one of the most important systems to get right when working with remote assistants. Stealth Agents works with experienced virtual assistants who understand professional security standards and can integrate smoothly into your existing tools. Visit virtualassistantva.com to connect with a trusted VA who takes your security as seriously as you do.