Many organisations issue temporary passwords during employee onboarding that are shared over insecure channels such as email or SMS, and often never changed. These credentials can persist indefinitely, be reused across multiple accounts, and represent an easily exploitable entry point for attackers. The risk is compounded at scale, as every new hire represents a potential window of exposure if the process is not tightly controlled.

Security Architect’s Take: Enforce password-change-on-first-login policies at the identity provider level and integrate onboarding flows with your SSO and MFA platform so temporary credentials have a hard expiry — ideally under 24 hours. Audit existing accounts for credentials that were never rotated post-onboarding using your IdP’s sign-in logs.

Original advisory: The Onboarding Password Mistake That Creates Unnecessary Risk