We are all susceptible to the curse of “password fatigue”, or struggling to remember countless logins and passwords. It becomes incredibly difficult to keep track of them all, forcing many to make their passwords easy to remember, often at the expense of security. Always remember that user convenience determines the effectiveness of your security policies.
By choosing simple passwords over more complex and secure credentials, the result is an abundance of insecure and easily guessable passwords. Studies done on “worst passwords” are both amusing and frightening at the same time. Phrases like "QWERTY" or “123456” actually rank among the leaders. This is neither secure nor sustainable.
Do you know where your company is most vulnerable when it comes to assigning and distributing passwords?
The moment when a new hire starts their first day of work remains one over the most vulnerable user account lifecycle stages for your organization. For the reasons elaborated upon below, onboarding stages carry significant risks if the right processes and decisions aren’t made. Even organizations with the strictest security standards can overlook these onboarding risks, leading to exposing access to your company’s resources
1) Initial password—it depends on the formula.
Many organizations rely on a simple formula for standard passwords when creating new accounts. For example, you might combine the first two letters of your first name with the year of birth and the last name: "Pe1972Mueller". Some companies even use the same default password for each new user account.
When this is the case, any employee within the organization would be able to access the new hire’s account before they even sit down at their desk for the first time. Some password generation policies are better, but can still be socially engineered with some basic info about a person. It should be obvious that this practice is grossly negligent and opens the door to data breaches and massive security risks.
2) How does the new employee gain access to their initial password?
When a new hire is onboarded to your organization, how do they receive their initial login information? Will a colleague from IT come to you personally on the first day and hand over the passwords in a sealed envelope? Is a sticky note handed to them or placed on their desk?
The sharing of passwords for a new hire can also pose a security risk to your organization. Passwords are sent to team leaders or superiors—and they should simply be passed on to the new employees. Or the new employee's private email address is used to send the password quickly.
If you use intermediaries, sticky notes, send passwords to private email addresses that can be accessed on public networks, or another shortcut, you’re creating opportunities for process to fail.
3) Orphaned accounts are security risks.
In many IT departments, the mass creation of accounts for new users is a daily responsibility. When a temporary worker (such as seasonal workers, trainees, interns, etc.) leaves the organization after a brief period, there is often no way to check and monitor whether accounts were even activated for that temporary employee.
When an account possesses access rights within the organization but has no associated user, they are known as “Orphan accounts”. Orphan accounts pose a very real threat to your organization. If not managed and disposed of correctly, they cause network pollution and can create an entry point for potential data breaches.
Tools4ever’s tips for safely and securely onboarding new employees into your organization:
There are a few simple rules when setting up new user accounts that can significantly reduce the security risks your organization could be liable to:
- Generate initial passwords randomly.
New passwords should be randomly generated strings. Colleagues must not be able to guess them. Strong password generators can serve well here, so that "QWERTY" is a thing of the past.
- SSRPM’s “Account Claiming” module closes onboarding security gaps
Secure your onboarding process for new hires. SSRPM’s (Self-Service Reset Password Management) account claiming module closes the security gap that undermines your onboarding processes, locking down on the transfer of accounts and credentials to new users. With SSRPM, new employees can securely gain access to their account with minimal IT involvement.
- IAM solutions for overview and control.
Use an Identity and Access Management solution (on-premise or cloud) to automate user account generation and provisioning processes. By using an IAM solution, you can easily monitor and restrict all steps of the onboarding process in the account. Moving forward, your automations will ensure user access rights are properly assigned. In addition, an IAM solution can easily identify inactive orphaned accounts within your organization.
- Check for vulnerabilities.
Examine and test your entire onboarding process, from password creation (formula) to credential transfer to first login actions. This enables you to quickly identify security-relevant weak points.
Take the first steps in securing your organization.
If you have any questions regarding how your organization can minimize potential onboarding risks, simply send an email to our office, firstname.lastname@example.org, or give us a call and we will arrange a joint consultation.