How to securely onboard new employees without sharing temporary passwords

July 23, 2024Hacker NewsCorporate Security/Data Protection

The initial onboarding stage is a critical step for both employees and employers. However, this process often involves the practice of sharing temporary passwords on the first day, which can expose organizations to security risks.

Traditionally, IT departments have had limited options, either sharing plaintext passwords over email or SMS, or communicating these credentials verbally in person. Both methods carry inherent risks, from man-in-the-middle attacks to simple human error such as poor password management. This vulnerability creates an opening for hackers to use weak or intercepted passwords to gain unauthorized access to corporate systems.

In this article, we explore the pitfalls of traditional password distribution methods during employee onboarding and introduce solutions that strengthen security without compromising accessibility for new hires. Organizations can secure their digital environment from the start and ensure a safe and smooth transition for new team members.

Are temporary passwords always temporary?

Temporary passwords pose a major security risk because, despite being intended for short-term use, they are often not changed by end-users. These passwords are typically set for users to change after their first login, but this important step can be overlooked or forgotten for a variety of reasons, including user carelessness or technical issues during the onboarding process. When temporary passwords are not updated, they are usually weaker and more predictable, leaving them vulnerable to attacks.

The risks associated with temporary passwords are compounded by the fact that they are often simple or follow predictable patterns, making them easy targets for brute force and dictionary attacks. In the past year alone, Specops research has found tens of thousands of malware-stolen credentials containing basic terms such as “welcome,” “guest,” “user,” and “change.” End users may not change these passwords due to a lack of awareness of security measures or simply because the system does not enforce a password change on first login. Additionally, when these passwords are shared in plain text, they can be intercepted by unauthorized third parties.

A real-world example of a breach caused by the misuse of temporary passwords is the incident involving the SolarWinds software company, where attackers were able to access the company’s Orion platform using a simple and well-known password: “solarwinds123.” Although this password was temporary, it was never updated, leading to a large-scale and notorious cyber attack that affected many organizations.

The risks of traditional password sharing

Traditionally, organizations have adopted two main methods for sharing day one passwords with new hires, each of which has its own security risks. The first method is to share the password in plain text, typically via email or SMS. This method is straightforward and popular due to its simplicity and convenience. However, it does pose a significant security risk: plain text communications can be intercepted by cybercriminals through a man-in-the-middle attack. Once intercepted, these credentials can be used to gain unauthorized access to corporate systems, potentially leading to data breaches and other security incidents.

The second traditional method is to verbally share the password on the employee’s start date. This can be done in person or over the phone. This method reduces the risk of interception compared to plain-text digital communication, but it is still vulnerable. Verbal sharing relies heavily on the availability and coordination of IT staff and new employees, which is logistically challenging and prone to error. Additionally, if the password is shared through a third party, such as a manager, there is an additional risk that the password will be mishandled or accidentally exposed.

While both methods are common practices, they do not provide a secure and reliable means of handling sensitive information such as passwords, expose organizations to potential security breaches, and do not comply with information security management best practices.

Securely onboard new users without temporary passwords

Onboarding new users in a more secure manner is crucial to protecting an organization’s data from the get-go. Specops Software now offers First Day Password functionality as part of Specops uReset to address the security gaps inherent in traditional password distribution methods during the employee onboarding process.

This tool revolutionizes the way passwords are handled by eliminating the need to directly share initial passwords with new users: instead of receiving a temporary password that may be intercepted or handled insecurely, new employees can set their own passwords through a secure system.

Here’s how it works: Upon joining the company, new employees receive an enrollment link via text, personal email, or a “reset password” link on their domain-joined device. Clicking this link takes them to a verification screen where they verify their identity using their personal email or mobile phone number. Once verified, they’re directed to a dynamic feedback screen where they can create their own password following the organization’s password policy.

Not only does this method secure the password creation process, it also seamlessly integrates with Specops Password Policies and other Specops products, such as Breached Password Protection. This tool provides an extra layer of security by encouraging the creation of longer passwords and blocking the use of over 4 billion known breached passwords. This comprehensive approach ensures end users have secure, compliant passwords from day one, significantly reducing the risk of cyber threats.

With Specops’ First Day Password and its integrated security features, organizations can provide a more secure onboarding experience that protects both new users and the company’s digital assets. Talk to an expert to learn how First Day Password can fit into your organization.