Secure Onboarding: How to Avoid Password Mistakes for New Employees?

🌐 🇵🇱 Polski · 🇬🇧 EN

A new employee gains access to company systems, and just days later falls victim to phishing. Sounds abstract? CERT and NIST reports prove this is an everyday reality. Errors in the onboarding process—especially those related to passwords—cost companies millions, not just financially but also in terms of reputation. How can you avoid them?

Ilustracja przedstawiająca nowoczesne biuro z ekranem logowania otoczonym ikonami ochrony danych, w stylu futurystycznym — Modern login screen secured with data protection icons

As new employees join companies, the risk of cyberattacks also rises. According to the Verizon DBIR 2023, a staggering 81% of identity theft incidents stem from weak passwords or human error. The problem isn’t the technology itself but the processes surrounding it. All it takes is one poorly secured account to turn an entire network into an easy target.

The biggest paradox is that many companies spend millions on advanced security systems while neglecting the basics. Errors in onboarding new employees aren’t minor oversights—they’re a direct path to data breaches, intellectual property theft, or even operational shutdowns. What specific pitfalls await companies, and how can they be avoided?

Most common mistakes that open the door to cybercriminals

The onboarding process, though seemingly straightforward, is an area where companies repeatedly make systematic errors. Some stem from a lack of awareness, others from underestimating risk, and some from excessive bureaucracy. Here are the most frequent ones:

Low-complexity temporary passwords – New hires often receive simple combinations like “Password123!” or birthdates, which can be cracked in seconds using attacker dictionaries.
Manual password sharing – Sending login credentials via email, SMS, or even phone calls invites attackers to intercept communications.
Lack of two-factor authentication (2FA/MFA) – Despite its availability, many companies implement MFA only after the first incident. Password + SMS code is the bare minimum.
Long-lasting temporary passwords – One-time passwords (OTPs) or session-based credentials aren’t replaced with permanent ones, remaining active for weeks or even months.
Failure to rotate passwords with role changes – An employee who gets promoted or switches departments continues using the same old password, often weak and unused for years.

These mistakes aren’t just theoretical threats. According to the Ponemon Institute, 57% of companies don’t enforce password rotation when an employee changes roles, and 61% of employees reuse the same passwords for work and personal accounts. This is a straightforward path to attack escalation.

Statistics that should chill the blood of managers

Data collected by leading cybersecurity institutions leaves no room for doubt: weak passwords of new hires are a gateway for attacks.

Reports worth knowing

IBM Cost of a Data Breach Report 2023:
- Average cost of a data breach: $4.45 million.
- 16% of incidents result from weak passwords or access management errors.
- Companies lose an average of $1.24 million on incidents linked to inadequate passwords.
CERT Poland 2023:
- 34% of phishing incidents targeted newly hired employees.
- Attacks were successful in 72% of cases because victims were unaware of security procedures.
NIST SP 800-63B (password guidelines):
- Recommends abandoning requirements like “at least one uppercase letter and a digit,” which lead to predictable passwords.
- Promotes long, random passphrases (e.g., “purpleelephantdancesatmidnight!”) instead of complex combinations.

These numbers show that the issue isn’t a lack of tools but their improper implementation. Companies that ignore these statistics risk not only financial losses but also the trust of customers and business partners.

How to secure the onboarding process? Proven mechanisms

Securing passwords for new hires shouldn’t be just a theoretical exercise for the IT department. The key is implementing consistent, automated procedures that minimize human error. Here are the mechanisms that work in practice:

1. Password policy aligned with NIST guidelines

Instead of enforcing complex combinations that are easy to remember (and crack), it’s better to use a long, random passphrase approach. Examples of strong passwords:

“purpleelephantdancesatmidnight!”
“CorrectHorseBatteryStaple2024”
“BlueSkyOverTheMountain2024!”

Avoid:

Passwords based on public information (name, surname, birthdate).
Simple sequences (e.g., “123456”, “QWERTY”).
Previously used passwords (checked via tools like Have I Been Pwned).

2. Enforcing MFA (Multi-Factor Authentication) from the first login

Two-factor authentication is no longer an option but a necessity. The most commonly used methods include:

SMS codes or authenticator apps (Google Authenticator, Authy).
Hardware keys (YubiKey, Titan Security Key).
Push notifications (e.g., Duo Mobile).

According to CISA, implementing MFA reduces the risk of a successful attack by 99.9%.

3. Temporary passwords with limited validity

Instead of manually granting access, consider using one-time passwords (OTPs) or session-based credentials that expire after a few hours. Examples:

Password valid for only 12 hours, after which the user must change it.
Code sent to a trusted device (e.g., company phone).

4. Automation via IAM (Identity and Access Management) systems

Tools like Okta, Microsoft Entra ID (formerly Azure AD), or JumpCloud enable:

Automated access provisioning based on roles (e.g., a new sales employee gains access to CRM and sales tools).
Enforcing password rotation when an employee changes roles.
Periodic access reviews (e.g., every 3 months).

5. Education and simulated phishing attacks

Security isn’t just about technology—it’s also about employee awareness. According to the SANS Institute, companies that regularly conduct training and phishing tests reduce the risk of successful attacks by 70%.

Best practices include:

Simulated phishing messages sent to new employees in their first weeks.
Training on recognizing suspicious links and attachments.
Regular reminders about password policies (e.g., via internal newsletters).

Cases that should serve as a warning to every company

Errors in onboarding aren’t just theoretical threats. There are numerous real-world cases where negligence in this area led to serious incidents. Here are two of them:

1. Uber (2022) – Phishing targeting a newly hired employee

Incident: A hacker gained access to company systems through phishing targeting a newly hired employee who shared their credentials.

Consequences:

Theft of customer and employee data.
Incident cost: $1.1 million (including fines and damage repair).
Loss of customer and partner trust.

Source: [BleepingComputer]

2. Twilio (2021) – Phishing attack on new employees

Incident: Attackers impersonated the IT department and sent fake notifications about the need to change passwords. New employees shared their credentials, leading to the theft of SMS data.

Consequences:

Customer data exposed to potential leaks.
Threat of a $10 million fine for GDPR violations.
Loss of reputation and market trust.

Source: [TechCrunch]

These cases show that errors in onboarding aren’t just a technical issue but a real threat to the entire organization. Companies that ignore these signals risk not only financial losses but also a loss of competitiveness.

Tools that simplify secure onboarding

Choosing the right tools is a critical step in building a secure onboarding process. Here are solutions that have proven effective in practice:

1. IAM (Identity and Access Management) systems

Okta – Automated access provisioning, built-in password policies, and MFA.
Microsoft Entra ID – Integration with the Office 365 suite, hardware key support.
JumpCloud – Cloud-based solution with device management capabilities.

2. Password managers

Bitwarden – Open-source password manager with a generator and rotation policy.
1Password – Secure password storage with a Travel Mode feature (hiding data during travel).
Keeper – Enterprise solution with password audit capabilities.

3. Data breach detection tools

Have I Been Pwned – Checking if a password or email has been compromised.
Dehashed – Monitoring the dark web for leaks of company data.

4. Phishing simulation systems

KnowBe4 – Platform for conducting phishing tests and training.
PhishMe – Tool for creating realistic attack simulations.

Legal and financial consequences of negligence

Errors in onboarding don’t come without consequences. Companies that neglect password security expose themselves to serious financial, legal, and reputational risks.

1. Fines for GDPR violations

The General Data Protection Regulation (GDPR) mandates that companies ensure an adequate level of security. Violations can result in:

Fines up to 4% of global revenue or €20 million (whichever is higher).
Obligation to notify the supervisory authority and affected individuals within 72 hours.
Compensation claims from affected parties.

Examples of fines:

Amazon – €746 million fine (2021) for insufficient protection of customer data.
Meta (Facebook) – €1.2 billion fine (2023) for transferring data to the U.S.
British Airways – £20 million fine (2020) for the leak of 500,000 customer records.

2. Civil and criminal liability

In some jurisdictions (e.g., the U.S.), companies can be held civilly liable for negligence in security. Examples:

Employers may be required to pay compensation to affected customers.
In cases of deliberate negligence, liability may also include criminal penalties.

Example from the U.S.:

The Equifax breach resulted in a $700 million fine (2019) for exposing data of 147 million customers. Part of the fine stemmed from negligence in the onboarding process of contractors.

3. Loss of reputation and customer trust

The costs associated with reputational damage are hard to quantify but often exceed financial penalties. According to PwC, 63% of customers discontinue services with a company after a data security incident. Additionally, difficulties in acquiring new customers and business partners can last for years.

Summary: Secure onboarding checklist

To minimize the risk of errors in the onboarding process, use the following checklist. Adapt it to your company’s specifics and existing procedures:

Before hiring

Define roles and permissions – Create an RACI matrix (Responsible, Accountable, Consulted, Informed) for each role.
Prepare a password policy – Specify password requirements (length, complexity, rotation) aligned with NIST guidelines.
Plan security training – Develop educational materials for new employees covering phishing, password management, and MFA.

On the first day

Automate access provisioning – Use an IAM system to assign permissions based on role.
Enforce MFA – Require a second authentication factor on the first login.
Provide a temporary password – Use a one-time password (OTP) or session-based credential valid for only a few hours.

In the first week

Change to a permanent password – The new employee must change the temporary password to a personal one compliant with company policy.
Simulated phishing attack – Test the new employee’s awareness using tools like KnowBe4.
Reminder about password policy – Send an email summarizing rules and best practices.

Regular reviews

Password rotation – Enforce password changes every 90 days (or more frequently if necessary).
Access audits – Check if employees have excessive permissions.
Ongoing training – Organize quarterly cybersecurity workshops.

Remember: Security isn’t a one-time action but an ongoing process. Companies that treat onboarding as an opportunity to strengthen protection—not just a formality—build lasting competitive advantages.