[New research] Not so temporary: Most commonly breached new hire passwords

Today, the Specops research team is publishing new data on the most commonly breached new account passwords. We’ve looked at breached passwords that are likely to have been intended as temporary passwords, some of which could have been used to sign up to new apps and websites, and others which may have been given out to end users on the first day of their new job. Temporary passwords are intended to be replaced by the end user (often after they’ve first logged on) but they often stick around, creating risk. This research coincides with the latest addition of over 70 million compromised passwords to the Specops Breached Password Protection service.

Darren James, Senior Product Manager at Specops Software, said this about the findings: “Each time you’ve started a new job, there’s a decent chance you’ve been given a temporary password to get you into your system for the first time. These passwords are usually generated by the IT team, and in theory, should be as strong as any other password. Unfortunately, many organizations do not follow the best practices for password security, such as using long and random passphrases. These first day passwords are also often shared in plaintext.

“But does it matter if these passwords are weak, as they’ll be changed at first logon anyway? Our research shows this isn’t the case and there are many weak ‘first day passwords’ in circulation that have been compromised. The key step of enforcing an immediate password change can be missed. We’ll walk through why first day and default passwords can be a security problem and show you a more secure way to onboard new users.”

Most commonly compromised passwords on new accounts

Our threat intelligence team has run analysis on over 651 million passwords which have been compromised by malware over the last year. We narrowed this data set down to 120,000 compromised passwords which contained words or phrases commonly used in passwords given to new starters. You can see the eight most common base terms below, which are often given slight variations such as welcome123 or newuser1!.

Many end users will reuse their temporary password or simply add numbers or special characters onto the end in order to meet an organization’s password policy. For example, this is a compromised password we found from an intuit.com user who has clearly done just that: Newtemp@123. These simple password structures are known to hackers and used in dictionary and brute force attacks.

Most commonly compromised passwords on new accounts

Why temporary passwords are risky

The idea of a default or temporary password is that it’s replaced quickly by a more secure password. However, our research suggests that many end users may simply keep their first day passwords or make slight alterations. This is an issue as attackers can use brute force or cracking tools to guess end users’ weak and common passwords. They can also become compromised via password reuse, when end users reuse work passwords on less secure personal devices, websites, and applications.

Organizations can ‘enforce change at next logon’ but this isn’t always possible due to onboarding tech restrictions. For instance, if a new remote user needs to connect their VPN before logging in and that VPN can’t connect if the “change at next logon” setting is enabled.

Here are some recent high-profile examples of weak temporary passwords resulting being exploited and leading to major breaches:

  • Aliquippa Water Authority: Federal authorities claim Iranian hackers recently hacked a small water authority in Pennsylvania. They got in due to a default password (1111) that had never been changed.
  • SolarWinds: Default and easily-guessable passwords specific to individual organizations can be just as risky. Software company SolarWinds was hit by a massive and infamous cyberattack that compromised its Orion platform. Attackers were able to access the platform using the password ‘solarwinds123’ that was publicly available on GitHub.
  • Verkada: The cloud-based security camera company suffered a breach that exposed live feeds from over 150,000 cameras in schools, hospitals, prisons, and other facilities. Hacker said they gained access using a “super admin” account with a default password.
  • New York City Law Department: An unknown group of hackers exploited a vulnerability in the department’s Pulse Secure VPN software, which had a default password of “123456” that was never changed.

Find more compromised passwords in your network

Today’s update to the Breached Password Protection service includes an addition of over 17 million compromised passwords to the list used by Specops Password Auditor. You can find out how many of these compromised passwords are being used by your end users with a quick scan of your Active Directory with our free auditing tool: Specops Password Auditor.

Specops Password Auditor is read-only and doesn’t store Active Directory data, nor does it make any changes to Active Directory. You’ll get an easy-to-understand exportable report detailing password-related vulnerabilities that could be used as entry points for attackers. Download for free here.

Challenges of sharing first day Active Directory password

Our research covers malware-stolen passwords that fall into the obvious category of first day or temporary passwords. However, the way organizations onboard new users means even strong first day passwords in your Active Directory can be put at risk. The inherent nature of onboarding a user to Active Directory means IT departments are usually forced to do one of two things: 1) insecurely share plaintext passwords via text or email, or 2) find a way to verbally share the password in person.

Sharing plaintext passwords via email or SMS is risky. These methods mean the plaintext password is visible to IT or HR teams and are open to man-in-the-middle attacks. The alternative is sharing passwords verbally in person, which can be a burden and might not even be possible for remote or geographically dispersed organizations. Risks increase if an organization doesn’t have policies in place to force end users to immediately change their password. The end user might simply keep their temporary password and even worse, reuse it.

How to securely onboard new users without temporary passwords

Specops recently announced the release of First Day Password to help secure employee onboarding. It eliminates the need for sharing first passwords with new Active Directory users, as end users are able to reset their first onboarding password without ever knowing that first password themselves. First Day Password removes the need for IT to set a temporary first day password in the first place – users instead verify themselves through an ID service and then set their own passwords themselves.

IT teams can set a long, random first password for the new employee as part of spinning up a new Active Directory user. However, the employee will never need to know this first password. This is highly beneficial for organizations with hybrid environments and remote users, as First Day Password will update the cached credential (of that first random password set by IT staff). It also ensures better compliance with regulations such as NIST and PCI, as an immediate change can be forced at next logon.

From a new employee’s perspective, the process is simple too. They reset their passwords via an enrollment link shared via text, email, or ‘reset my password’ link on their domain-joined device. This is the first screen they’ll see.

First day password user interface screen for Specops uReset
First stage of setting a first password

They can then verify their identity via personal email or text as shown in the below screenshot. These two options tend to the be only realistic ones available to IT teams for verifying a new joiner.

Identity verification step

After that, they’re sent to a dynamic feedback screen to create their new password. They’ll get real-time feedback on how to comply with your organization’s policy. First Day Password customers who are also using Specops Password Policy and Breached Password Protection can encourage longer passwords with the length-based password aging meter shown above as well as block the use of over 4 billion known compromised passwords. End users will have secure, compliant passwords from day one.

Specops dynamic feedback with length-based ageing
Specops dynamic feedback with length-based ageing

Interested in seeing how First Day Password could fit in with your organization? Have questions on how you could adapt this for your needs? Contact us or see how it works with a demo or free trial.

(Last updated on May 14, 2024)

Back to Blog

Related Articles

  • Specops Software Introduces First Day Password to Secure Employee Onboarding

    Today, Specops Software is announcing the release of a new offering to help secure passwords set as part of the employee onboarding process. With First Day Password, organizations will be able to say goodbye to insecure methods of sharing first day passwords and say hello to end users verifying who they are before setting their…

    Read More
  • How does a brute force password attack work?

    Compromising login credentials is the goal of many modern cyber-attacks. If successful, they can result in the worst types of data breaches, especially when high-level accounts are breached. One of the oldest and most common methods for guessing a user’s password is the brute force attack. We’ll explore what they are, how they work, and…

    Read More
  • Password reuse: A hidden danger you can’t ignore

    Reusing passwords is common, despite years of warnings to end users. It’s a problem that’s difficult for IT teams to get a handle on, especially if people are reusing work passwords at home. This means a breach elsewhere can bring cybersecurity problems to an organization’s doorstep, even if their own Active Directory password policy is…

    Read More