Cybersecurity experts are raising concerns over password management practices during employee onboarding, warning that weak or poorly handled temporary credentials may create avoidable security risks for organizations. According to cybersecurity researchers, onboarding periods are often operationally demanding for IT teams as new employees require devices, accounts, permissions, and login credentials within short timeframes. To simplify access on a new employee’s first day, organizations frequently rely on temporary passwords delivered through email, SMS, or verbal communication. However, researchers caution that these credentials often remain active longer than intended, are reused across multiple accounts, or are never updated, increasing exposure to unauthorized access and account compromise. Security professionals noted that attackers frequently target weak onboarding practices because temporary credentials may provide a relatively simple entry point into broader enterprise systems.
According to cybersecurity guidance shared by password security specialists, one of the most common onboarding practices involves transmitting initial credentials in plain text through email or text messages due to convenience and operational efficiency. While this approach can accelerate employee setup, researchers warned that passwords shared through unsecured channels may be intercepted, forwarded, or exposed on compromised devices, potentially allowing unauthorized individuals to gain immediate access to internal resources. Some organizations attempt to reduce digital exposure by verbally sharing credentials through phone calls or in person meetings, though this method creates separate operational challenges involving coordination between IT staff, managers, and new employees. Researchers stated that the involvement of additional personnel in relaying credentials may increase the risk of mishandling or unintended disclosure. Cybersecurity experts argue that many organizations continue balancing convenience against security, often resulting in onboarding credentials becoming a long term vulnerability instead of a short term setup requirement.
Security researchers highlighted that one way to reduce onboarding related password risks is to eliminate the need for temporary credentials altogether by enabling employees to create secure passwords through verified enrollment processes. According to guidance associated with Specops First Day Password, available as part of Specops uReset, employees can establish passwords independently through identity verification methods such as personal email addresses, mobile numbers, or secure password reset functions on managed devices. Researchers stated that this process allows organizations to enforce password policy requirements from the beginning while reducing risks linked to intercepted onboarding credentials. Cybersecurity professionals further warned that temporary passwords can become particularly dangerous when they remain unchanged after first login. Because onboarding credentials are often simpler, generated in bulk, or created primarily for convenience, they may be easier for attackers to predict or abuse if left active. Security analysts referenced multiple incidents illustrating how weak or unchanged credentials have exposed organizations to serious operational risks, especially when linked to internet facing systems or sensitive environments.
One frequently cited example involved the Municipal Water Authority of Aliquippa in Pennsylvania, United States, where a cyber incident in November 2023 reportedly involved Iranian linked hacktivist group Cyber Av3ngers exploiting programmable logic controllers protected by default credentials set to “1111.” Researchers stated that the attackers gained access to a remote booster station serving two townships, prompting U.S. Cybersecurity and Infrastructure Security Agency (CISA) to advise similar facilities to update default credentials and disconnect exposed systems from public internet access. Another incident identified in 2025 involved McDonald’s AI powered hiring platform McHire, operated by Paradox.ai, where researchers reportedly gained access to a legacy administrative environment through weak credentials using “123456” as both username and password. According to researchers, the platform contained access to information linked to more than 64 million job applications before remediation steps were taken following responsible disclosure. Cybersecurity experts stated that these examples demonstrate how setup passwords, temporary credentials, and overlooked administrator accounts can remain active within production systems and increase exposure to unauthorized access. Organizations have been encouraged to strengthen password policies, adopt phishing resistant authentication measures, and implement secure onboarding practices to reduce credential related security risks throughout the employee lifecycle.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
