How to store and share team passwords safely with a zero-knowledge vault

To share team passwords safely in Fada, you store each secret in the zero-knowledge vault instead of pasting it into chat. Secrets are encrypted on your device before they are sent, so neither the server nor anyone scrolling a channel can read them. You then grant access only to the people who need it, and remove that access in one place the moment someone leaves.

This guide walks through the whole flow, in plain words, step by step.

Why is pasting passwords in chat risky?

When you type a Wi-Fi password, a shared admin login, or an API key into a channel, it stops being a secret. It sits in the message history forever. Anyone who joins the channel later can scroll up and read it. It shows up in search. It gets forwarded, screenshotted, and copied into other apps. And when a teammate leaves, the password is still sitting there in plain text — so you have to remember to change it everywhere.

Chat is built to be shared and remembered. Passwords need the opposite: tight control over who can see them, and a clean way to cut access off. That is exactly the gap a vault fills.

What does zero-knowledge mean?

Zero-knowledge means the secret is locked on your own device before it ever leaves it. Think of it as putting your password in a small locked box that only your team holds the key to. You hand the box to Fada to store and pass around, but Fada never gets the key — so the server only ever holds a scrambled version it cannot read.

In practice this means:

• The plain password exists only on the devices of people you shared it with.
• What travels over the network and sits on the server is encrypted gibberish.
• Even someone with full access to the server database cannot read your secrets.

This is different from a normal message, which the server can read in order to deliver and index it. We are honest about the trade-off: zero-knowledge protects the contents, and the strength of that protection depends on your team keeping its own accounts and devices secure. We do not claim any certification we have not earned — the design simply removes the server from the list of things that can leak your password.

How do I add a secret to the vault, step by step?

Here is the routine to move your team off chat-pasted passwords and onto the vault.

1. Stop pasting secrets into chat. Make it a team rule: no passwords, keys, or tokens in channels, threads, or direct messages. If one is already there, move it to the vault and delete the message.

1. Add each shared login to the vault as its own entry. Open the secrets vault and create one entry per secret — the office Wi-Fi, the shared social account, the database login, the payment dashboard. One secret, one entry. Do not bundle several logins into a single note.

1. Give it a clear name. Name the entry so anyone on the team knows what it is without opening it — for example "Instagram – marketing" or "Production database – read only". A good name now saves a dozen "which password is this?" messages later.

1. Share with only the people who need it. Use role-based access to grant the entry to specific people or roles, not the whole workspace. The finance login goes to finance; the deploy key goes to the engineers who deploy. Everyone else simply never sees it.

1. Remove access in one place when someone leaves. When a teammate moves teams or leaves the company, revoke their access from the vault — and rotate the secret if it was sensitive. Because access lives in one place, you are not chasing the password across old chat messages and sticky notes.

1. Keep an audit trail. The vault records who was granted access and when access changed, so you have a clear record for security reviews and can answer "who could see this?" with certainty.

Because secrets are encrypted on each device, the people you share with can read the entry instantly, while the server in the middle still only ever holds the scrambled version.

What about the rest of the workflow?

The vault sits inside the same workspace your team already uses every day, so it fits the normal flow. You still get channels and threads to organize work, search to find conversations, automatic Arabic, French, and English voice-to-text on voice notes, and AI summaries to catch up fast. The difference is that secrets now live in their own protected place instead of leaking into all of that.

The whole experience is mobile-first and works fully right-to-left in Arabic, so the vault reads naturally for Arabic-speaking teams, not as an afterthought.

Can I keep everything on my own server?

Yes. If your team or your security policy requires that nothing lives on someone else's infrastructure, Fada can be self-hosted on your own server. You keep the same zero-knowledge vault, channels, and role-based access — just running entirely under your own control. For most teams the hosted version is simpler to start with, and self-hosting is there when you need it.

Getting started

Moving passwords out of chat and into a vault is one of the highest-value security changes a small team can make, and it takes minutes. Set the no-secrets-in-chat rule, add your shared logins as named entries, and share each one with only the people who need it.

Ready to lock down your team's passwords? create a free Fada workspace and add your first secret to the vault today.