Credential Sharing Guidelines

Last Updated: Sept 18, 2025

Overview

This document provides mandatory guidelines for securely sharing credentials and sensitive information. Following these guidelines is critical to maintaining the security of our systems and protecting sensitive data.

BLUF: Access Test User Portal (TUP) directly when you have VA network access, or use Onceler for sharing credentials when direct access isn't available.

Critical: Why Slack is NOT Secure for Credentials

FOIA Compliance Risk

⚠️ WARNING: All Slack messages are subject to Freedom of Information Act (FOIA) requests. This means:

• Any credentials posted in Slack can become publicly accessible

• Sensitive test data shared in Slack may be disclosed in FOIA responses

• Even deleted messages can be recovered and disclosed

• Screenshots containing credentials are equally vulnerable

Security Implications

Sharing credentials in Slack exposes us to:

• Unauthorized system access

• Data breaches and PII exposure

• Compliance violations

• Failed security audits

• Legal liability

Proper Credential Access and Sharing

For Test User Accounts

Use the Test User Portal (TUP) (requires VA network & Github Auth).

⚠️ Note: Test User Dashboard (TUD) (requires SOCKS) is no longer maintained but remains available while TUP is being finalized. Here is the TUD Guide.

The Test User Portal will be the primary source of truth for test accounts, and is in the development stage at the moment. Here is the TUP Guide.

For Sharing Credentials: Use Onceler

URL: https://onceler.app.cloud.gov/

Onceler is the approved method for sharing credentials when direct access isn't possible. It provides:

• One-time links that expire after a single view

• End-to-end encryption in transit and at rest

• No permanent storage - credentials are destroyed after viewing

• FOIA-safe - only the link is shared in Slack, never the actual credential

What NEVER to Share in Slack

Prohibited in Any Slack Channel or DM:

• ❌ Passwords or passphrases

• ❌ API keys or tokens

• ❌ SSH keys or certificates

• ❌ Database connection strings

• ❌ Service account credentials

• ❌ Test user credentials

• ❌ URLs with embedded auth tokens

• ❌ Screenshots showing credentials

• ❌ Test User Portal/Dashboard passwords

Help and feedback

• Suggest content changes to this page.

• Submit new Platform Website content.

• Get help from the Platform Support Team in Slack.

• Submit a feature idea to the Platform.