The initial onboarding stage is a crucial step for both employees and employers. However, this process often involves the practice of sharing temporary first-day passwords, which can expose organizations to security risks.
Traditionally, IT departments have been cornered into either sharing passwords in plain text via email or SMS, or arranging in-person meetings to verbally communicate these credentials. Both methods carry inherent risks, from man-in-the-middle attacks to the simple human error of password mismanagement. This vulnerability creates openings for hackers, who will aim to use weak or intercepted passwords to gain unauthorized access to corporate systems.
In this post, we explore the pitfalls of traditional password distribution methods during employee onboarding and introduce a solution that enhances security without compromising the ease of access for new hires. It's possible for organizations to safeguard their digital environments right from the start, ensuring a secure and smooth transition for new team members.
Do temporary passwords stay temporary?
Temporary passwords pose significant security risks primarily because they're often not changed by end users, despite their intended short-term use. These passwords are typically set to be replaced by the user after their first login; however, this crucial step can be overlooked or missed due to various reasons such as user negligence or technical issues during the onboarding process. When temporary passwords are not updated, they remain vulnerable to attacks because they are usually weaker and more predictable.
The risks associated with temporary passwords are compounded by the fact that they're often simple or follow predictable patterns, making them easy targets for brute force or dictionary attacks. Specops research found tens of thousands of malware-stolen credentials with base terms like 'welcome', 'guest', 'user', and 'change' from the past year alone. End users might not change these passwords due to a lack of awareness about security practices or simply because the system does not enforce a password change upon first login. Additionally, if these passwords are shared in plain text, they can be intercepted by unauthorized parties.
A real-life example of a breach resulting from the misuse of temporary passwords is the incident involving the SolarWinds software company. Attackers were able to access the company's Orion platform using a simple, publicly known password: "solarwinds123". This password was intended to be temporary but was never updated, leading to a massive and infamous cyberattack that compromised impacted many organizations.
Risks of traditional password sharing
Traditionally, organizations have relied on two main methods to share first day passwords with new employees, each carrying its own set of security risks. The first method involves sharing passwords in plain text, typically via email or SMS. This approach is straightforward and often used due to its simplicity and convenience. However, it poses significant security risks. Plain text communication can be intercepted by cybercriminals through man-in-the-middle attacks. Once intercepted, these credentials can be used to gain unauthorized access to corporate systems, potentially leading to data breaches and other security incidents.
The second traditional method is sharing passwords verbally on the employee's start date. This can occur either in person or over the phone. While this method reduces the risk of interception compared to plain text digital communications, it still has vulnerabilities. Verbal sharing depends heavily on the availability and coordination between IT staff and the new employee, which can be logistically challenging and prone to errors. On top of that, if the password is shared through a third party, such as a manager, it introduces another layer of risk where the password could be mishandled or inadvertently disclosed.
Both methods, while commonly practiced, fail to provide a secure and reliable means of handling sensitive information such as passwords. They expose organizations to potential security breaches and don't align with best practices for information security management.
Securely onboard new users without temporary passwords
Onboarding new users in a more secure manner is crucial for protecting organizational data right from the start. Specops Software now offers its First Day Password feature as part of Specops uReset to address the security gaps inherent in traditional password distribution methods during the employee onboarding process.
This tool revolutionizes how passwords are handled by eliminating the need to share initial passwords directly with new users. Instead of receiving a temporary password that could be intercepted or insecurely handled, new employees are empowered to set their own passwords through a secure system.
Here's how it works: upon joining, new employees receive an enrollment link via text, personal email, or through a "reset my password" link on their domain-joined device. This link takes them to a verification screen where they confirm their identity using their personal email or mobile number. Once verified, they proceed to a dynamic feedback screen where they can create their own password in compliance with the organization's password policy.
This method not only secures the password creation process but also integrates seamlessly with other Specops products like Specops Password Policy with Breached Password Protection. This tool enhances security further by encouraging the creation of longer passwords and blocking the use of over 4 billion known compromised passwords. This comprehensive approach ensures that from day one, end users have secure, compliant passwords, significantly reducing the risk of cyber threats.
By using Specops' First Day Password and its integrated security features, organizations can provide a more secure onboarding experience that protects both the new user and the company's digital assets. Speak to an expert to learn how First Day Password could fit in with your organization.