We have a project with 3 remote developers and myself, at the moment passwords (server logins, db passwords etc) are being shared via emails which are cc'ed to everyone,
Is there a normal workflow for this, we use git for version control, but it dosnt feel right to have our passwords in there (not that email is any more secure)
Besides the above three options, you can also set up a password safe in an application like keepassX or PasswordSafe, and share the encrypted file via your version control system or (email if necessary). The key point would be to avoid typing/sending the master password in an email, and distribute it on phone call.
What you're doing is problematic because email is not "secure." Anybody who intercepts those communications "on the wire" can read the passwords and log in to those servers as you, and furthermore if one person leaks the credentials you won't know who did it. How bad these security vulnerabilities are depends on how valuable the item that you're protecting. Security is most always a compromise.
I'll enumerate other possibilities here:
Use PGP encryption on emails. This good assurance that only the email recipients can read the message and the passwords it contains. Alternatively, use a phone call or other out-of-band technology to relay sensitive information.
Use a Wiki which is securely hosted and served over SSL, such that only authenticated users can view credentials. Ask each user to create their own account and then grant only the accounts you recognize privileges to view the credentials page.
Create an account for each user and set their password as expired so they are required to change it on their first login. If they successfully change their password, they invalidate the credentials exposed in the email you used to inform them of said new account.
Be creative. You can use other techniques like keep extra passwords in a root-owned file on the box (as without some sort of shell access, most of those other credentials will be useless).
