Study Reveals High Risk of Password Compromises Among New Hires

A recent study from Specops Software, released on May 14, 2024, highlights a critical security concern for organizations: the use of easy-to-guess, temporary passwords in new-hire welcome packages. The study, which scanned over 651 million malware compromised credentials over the past year, discovered 120,000 instances of passwords containing terms common to new-hire credentials. These passwords, intended to be replaced after initial use, often persist and create ongoing security risks.

The Vulnerability

New-hire passwords are particularly susceptible to compromise, presenting an attractive target for attackers. Specops senior product manager Darren James explained, “Before you can set MFA, you need to log in the first time with a password to then configure MFA. So [new-hire accounts] are quite a juicy target for any threat actors. Especially if they’re pre-previsioned before the user starts”.

Common starter passwords can be exploited to bypass safeguards like multi-factor authentication (MFA), allowing attackers first access into employee-issued services.

Common Password Terms and Their Risks

The Specops report identified eight of the most common base terms for day-one accounts, often given slight variations:

1. User
2. Temp
3. Welcome
4. Change
5. Guest
6. Starter
7. Logon
8. Onboard

This poses a risk as attackers can employ brute force or cracking tools to guess weak and common passwords used by end users. Additionally, password reuse can lead to compromises when end users reuse their work passwords on less secure personal devices, websites, and applications.

The study revealed that end users sometimes simply keep their first-day password or make only slight alterations, making them more vulnerable to attacks. This finding aligns with the Verizon Data Breach Investigations Report, which found that 77% of the 1,9977 web-application attacks between November 1, 2022, and October 31, 2023, involved stolen credentials, and 21% used brute force to discover usually easily guessable passwords.

Recommendations for Organizations

To mitigate these risks, organizations must implement stronger security practices. If it is necessary to send a password, it should be complex and difficult to guess. James emphasizes the importance of using “horrible, nasty-type passwords” that new-hires will be compelled to change immediately, ensuring they don’t just modify the last character.

Comprehensive training during onboarding and regular refresher courses can help new hires recognize and respond to phishing attempts and other cyber threats. Implementing robust monitoring systems can help detect suspicious activity early and allow for swift responses to potential breaches.

Contact DDKinfotech if you need support with your onboarding process. Our team is ready to provide the guidance and assistance you require to ensure a smooth and efficient onboarding experience, with a commitment to maintaining the highest security standards.