New hires, old problems: How to reduce password risk during onboarding 

The first week of a new job always seems to involve plenty of time with the IT team – especially when onboarding remote employees. Setting up hardware, accesses, and passwords is an essential step. One of the first and most important things to happen is sharing an Active Directory password with a new joiner – but this seemingly simple task can come with risk attached. We’ll look at the areas risk is created during the onboarding process (around passwords in particular) and share some ways you can reduce this risk in the future.  

How do organizations share passwords – and why is it risky? 

There’s always a risk when sharing sensitive information between parties. These are a few areas where risk can be created during the password-sharing part of onboarding. 

Risk of interception

Organizations typically give new employees their passwords by sharing them in plain text via personal email or SMS. This exposes the password to potential interception by man-in-the-middle attacks, where an unauthorized party could capture the password and use it to gain unauthorized access. 

Verbal communication of passwords

Another way to give a new joiner their password is to share it verbally on the employee’s start date. Verbal sharing can be burdensome for IT staff and may lead to passwords being shared with the employee’s manager, introducing additional risk of social engineering to both parties. The password could also be overheard by others, forgotten, or incorrectly noted by the employee. Additionally, this method does not promote good password practices, such as encouraging employees to change their passwords regularly or to use strong, unique passwords for different accounts. 

Vulnerability to social engineering  

Cybercriminals target new joiners because these employees are often unfamiliar with the company’s processes, communication styles, or security protocols, making them vulnerable to social engineering attacks. New employees are also generally eager to make a good impression, which might lead them to hastily click on links or attachments without proper verification. Hackers can easily use public information on LinkedIn and company websites to establish new joiners, chains of command, and vendor relationships. This helps them to craft believable spear phishing campaigns targeted at individuals. 

Failure to change temporary passwords  

In most cases, new joiners are given a simple temporary password that the IT team instructs them to change. However, if these passwords aren’t changed in a timely manner, this can create risk.  New employees don’t always change the temporary login passwords provided by the IT team, which leaves the organization vulnerable to attacks if the password was weak or easily guessable. 

Specops researchers analyzed a year’s worth of malware-stolen credentials and found that 120,000 of them included common terms associated with new hire passwords. The most commonly breached new hire passwords often include simple and predictable terms like ‘welcome123’ or ‘newuser1!’. The data showed that many end users will reuse their temporary password or simply add numbers or special characters onto the end in order to meet an organization’s password policy. These simple password structures are known to hackers and used in dictionary and brute force attacks

Interested to learn how many weak and breached passwords are currently in use within your Active Directory? Run a read-only scan of your Active Directory with Specops Password Auditor against one billion compromised passwords and get a report detailing your password-related vulnerabilities – download for free here.  

Is there a secure way to share first day passwords? 

As shown above, there are two key areas of risk with onboarding and passwords: first, the unsecure ways that organizations share passwords with new joiners. Then secondly, the risk of employees not updating a temporary password. To mitigate these risks, organizations can use a solution such as Specops’ First Day Password, which allows new hires to set their own passwords securely without knowing the initial temporary password. 

The Specops First Day Password feature eliminates the need to share first passwords in plain text or verbally by enabling new employees to set their first passwords through an enrollment link sent to their personal email or mobile number, or via the “reset my password” link on their domain-joined device. This link directs them to a dynamic feedback screen where they can create a password that adheres to the organization’s policy.  

First Day Password can also be combined with Specops Password Policy and Breached Password Protection to encourage the creation of strong passwords and block the use of over 4 billion known compromised passwords. 

Try Specops First Day Password  

To mitigate onboarding risks, eliminate the need for temporary passwords. First Day Password allows new users to set their own secure passwords after verifying their identity, without ever knowing the initial password set by IT. This method not only reduces the risk associated with sharing plaintext passwords but also ensures compliance with security regulations. 

Have questions about how First Day Password could work for your environment? Want to see a demo of the full solution? Get in touch

picture of author marcus white

Written by

Marcus White

Marcus is a Specops cybersecurity specialist based in the UK. He’s been in the B2B technology sector for 8+ years and has worked closely with products in email security, data loss prevention, endpoint security, and identity and access management.

Back to Blog