The initial stage of onboarding is an important step for both employees and employers. However, this process often involves the practice of exchanging temporary day-one passwords, which can expose organizations to security risks.
Traditionally, IT departments have been forced into a corner by either handing out passwords in plain text via email or SMS, or setting up face-to-face meetings to verbally communicate those credentials. Both methods carry inherent risk, from man-in-the-middle attacks to simple human error in password management. This vulnerability creates an opening for hackers who will seek to use weak or intercepted passwords to gain unauthorized access to corporate systems.
In this post, we explore the pitfalls of traditional password distribution methods during employee onboarding and present a solution that increases security without compromising ease of access for new hires. Organizations can secure their digital environment from the start, ensuring a secure and seamless transition for new team members.
Do temporary passwords stay temporary?
Temporary passwords pose a significant security risk primarily because they are often not changed by end users despite their intended short-term use. Users usually change these passwords after logging in for the first time; however, this important step can be overlooked or skipped for various reasons, such as user carelessness or technical issues during the onboarding process. If temporary passwords are not updated, they remain vulnerable to attack because they are usually weaker and more predictable.
The risks associated with temporary passwords are compounded by the fact that they are often simple or follow predictable patterns, making them easy targets for brute force or dictionary attacks. Special studies found tens of thousands of malware-stolen credentials with basic terms like “welcome,” “guest,” “user,” and “change” in the past year alone. End users may not change these passwords due to lack of awareness of security practices or simply because the system does not require a password change upon first login. Also, if these passwords are transmitted in plain text, they can be intercepted by unauthorized parties.
A real-world example of a breach resulting from misuse of temporary passwords is an incident involving SolarWinds software company. The attackers were able to gain access to Orion’s platform using a simple, well-known password: “solarwinds123”. This password was meant to be temporary but was never updated, leading to a massive and infamous cyber attack that affected many organizations.
Risks of traditional password sharing
Traditionally, organizations have relied on two primary methods of exchanging first-day passwords with new employees, each of which carries its own set of security risks. The first method involves sending passwords in plain text, usually via email or SMS. This approach is simple and often used due to its simplicity and convenience. However, this poses significant security risks. Plain text can be intercepted by cybercriminals using man-in-the-middle attacks. Once intercepted, these credentials can be used to gain unauthorized access to corporate systems, potentially leading to data breaches and other security incidents.
The second traditional method is verbal transmission of passwords on the day the employee starts work. This can happen in person or over the phone. Although this method reduces the risk of interception compared to digital communication in the form of plain text, it still has vulnerabilities. Verbal communication relies heavily on availability and coordination between IT staff and the new hire, which can be logistically difficult and error-prone. On top of that, when the password is shared with a third party, such as a manager, it creates another level of risk where the password can be mishandled or inadvertently disclosed.
Both methods, although widely used, do not provide a secure and reliable means of handling sensitive information such as passwords. They expose organizations to potential security breaches and fall short of information security management best practices.
Secure registration of new users without temporary passwords
Connecting new users in a more secure way is critical to protecting an organization’s data from the start. Specops Software now offers it First day password feature in the composition Specops uReset eliminate the security gaps inherent in traditional password distribution methods during the employee onboarding process.
This tool revolutionizes password management by eliminating the need to share initial passwords directly with new users. Instead of receiving a temporary password that can be intercepted or mishandled, new employees are empowered to set their own passwords through a secure system.
Here’s how it works: After joining, new employees receive a sign-up link via text message, personal email, or through a “reset my password” link on their domain-joined device. This link takes them to a verification screen where they verify their identity using a personal email or mobile phone number. After verification, they are taken to a dynamic feedback screen where they can create their own password according to the organization’s password policy.
This method not only ensures the security of the password generation process, but also easily integrates with other Specops products, e.g Specops Password Policy with password protection. This tool further enhances security by encouraging longer passwords and blocking the use of more than 4 billion known cracked passwords. This comprehensive approach ensures that end users have secure and compliant passwords from day one, significantly reducing the risk of cyber threats.
By using Specops Day One Password and its built-in security features, organizations can provide a more secure onboarding experience that protects both the new user and the company’s digital assets. Talk to an expert to learn how a Day One password can fit into your organization.
