Employee onboarding is a busy time for IT teams. New starters need devices, accounts, access permissions, and passwords, all delivered within a tight timeframe.
That usually means sharing a temporary “first-day” password so employees can access systems for the first time. The issue is that these passwords don’t always stay temporary. They may be sent over email or SMS, reused across accounts, or never changed at all, creating unnecessary risk during the onboarding process.
For attackers, weak or poorly managed onboarding credentials can provide an easy route into corporate systems. To make the onboarding process more secure without slowing new employees down, it’s important to understand why typical password-sharing methods introduce risk.
When convenience overrides security
The most common approach to sharing initial credentials with new employees is to send them in plain text over email or SMS. It’s quick and convenient, especially during busy onboarding periods, but it also creates an obvious exposure point. If those messages are intercepted, forwarded, or accessed on an unsecured device, attackers can gain immediate access to corporate accounts and systems.
The alternative is sharing passwords verbally, either in person or over the phone. While this reduces the risk of digital interception, it creates operational challenges of its own. IT teams and new starters need to coordinate schedules, and the process often breaks down when managers or third parties are asked to relay credentials on IT’s behalf. The more people involved in handling a password, the greater the chance of it being mishandled or disclosed.
Neither method provides a particularly secure or scalable way to handle onboarding credentials. In many cases, organizations are balancing ease of access against security, and temporary passwords end up becoming a long-term weakness rather than a short-term onboarding step.
Source: The Hacker News