Employee onboarding is a busy time for IT teams. New starters need devices, accounts, access permissions, and passwords, all delivered within a tight timeframe.
That usually means sharing a temporary “first-day” password so employees can access systems for the first time. The issue is that these passwords don’t always stay temporary. They may be sent over email or SMS, reused across accounts, or never changed at all, creating unnecessary risk during the onboarding process.
For attackers, weak or poorly managed onboarding credentials can provide an easy route into corporate systems. To make the onboarding process more secure without slowing new employees down, it’s important to understand why typical password-sharing methods introduce risk.
When convenience overrides security
The most common approach to sharing initial credentials with new employees is to send them in plain text over email or SMS. It’s quick and convenient, especially during busy onboarding periods, but it also creates an obvious exposure point. If those messages are intercepted, forwarded, or accessed on an unsecured device, attackers can gain immediate access to corporate accounts and systems.
The alternative is sharing passwords verbally, either in person or over the phone. While this reduces the risk of digital interception, it creates operational challenges of its own. IT teams and new starters need to coordinate schedules, and the process often breaks down when managers or third parties are asked to relay credentials on IT’s behalf. The more people involved in handling a password, the greater the chance of it being mishandled or disclosed.
Neither method provides a particularly secure or scalable way to handle onboarding credentials. In many cases, organizations are balancing ease of access against security, and temporary passwords end up becoming a long-term weakness rather than a short-term onboarding step.
A more secure approach to onboarding passwords
Traditional onboarding methods create risk because organizations are forced to share temporary passwords in the first place. Addressing this issue are specialized solutions like Specops First Day Password, available as part of Specops uReset, which removes the need to distribute first-day passwords altogether.
 |
| Specops First Day Password |
Instead of receiving a temporary credential over email, SMS, or phone, new employees set their own password through a secure enrollment process. Users receive an enrollment link via personal email, text message, or a “reset my password” option on their domain-joined device. After verifying their identity using a personal email address or mobile number, they can create a password that meets the organization’s policy requirements from the outset.
This approach reduces the risk associated with intercepted or mishandled onboarding credentials while making the process easier for both IT teams and new starters.
 |
| Specops uReset |
The risk of temporary passwords becoming permanent
Most onboarding credentials are designed to be temporary, with employees expected to create a new password after their first login. However, it’s easy for busy users to miss this step and delay changing their password. Onboarding workflows may also fail to enforce a reset, or temporary credentials may remain active without anyone noticing.
That creates a problem because first-day passwords are rarely designed with long-term security in mind. They’re simpler, more predictable, or generated in bulk to speed up onboarding. If those credentials remain active, they become an easy target for attackers looking for low-effort ways into corporate systems.
Recent incidents show how dangerous unchanged default or temporary credentials can be, particularly when they’re left exposed on internet-facing systems or tied to sensitive user data.
Exploiting weak credentials in critical infrastructure
In November 2023, the Municipal Water Authority of Aliquippa in Pennsylvania, USA, was targeted by the Iranian-linked hacktivist group Cyber Av3ngers. The hackers exploited programmable logic controllers (PLCs) protected by the default credential “1111”, which allowed them to gain control of a remote booster station serving two townships. While there was no risk to water supply, the severity of the risk was highlighted by CISA alerting other facilities to update the default credentials in similar systems and disconnect PLCs from the open internet.
The incident is a good example of how setup credentials can become a long-term security weakness. A password intended for initial deployment or testing remained active on production systems, giving attackers a straightforward route into operational technology environments.
Breaching a hiring platform through a poorly protected admin account
In 2025, researchers discovered that McDonald’s AI-powered hiring platform, McHire, could be accessed through a weak legacy administrator account reportedly using “123456” as both the username and password. The platform, operated by Paradox.ai, handled large volumes of applicant information as part of the recruitment and onboarding process.
Using the default credentials, the researchers were able to access a test “restaurant” environment within the McHire platform. From there, they could view chat interactions linked to more than 64 million job applications. Paradox.ai responded quickly after the issue was responsibly disclosed, resolving the vulnerability and updating its security policies. However, the incident highlights how easily forgotten default or test credentials can create serious exposure when they remain connected to live systems.
Secure your onboarding processes with Specops
Passwords aren’t disappearing any time soon; even as passkeys and passwordless authentication grow in popularity, passwords still play a central role in most onboarding and access management processes.
That means organizations need secure, reliable ways to manage credentials throughout their entire lifecycle, including the very first password a user receives. Sharing temporary credentials or forgetting to reset default passwords create unnecessary risk that attackers are quick to exploit.
Reducing that risk doesn’t have to make onboarding more complicated. By allowing users to securely create their own passwords from day one, organizations can improve security while giving IT teams a more scalable and manageable onboarding process.
Specops helps organizations strengthen password security at every stage of the user lifecycle, from onboarding and password creation through to ongoing policy enforcement and breached password protection. If you’d like to see how our solutions could work in your organization, book a demo today.
