A recent study, highlights a critical security vulnerability that many organisations might overlook: the use of easy-to-guess, temporary passwords in new-hire welcome packages.
After analysing over 651 million malware-compromised credentials over the past year, the team at Specops' discovered 120,000 passwords containing terms commonly used for new-hire credentials. These include logins such as “user,” “temp,” “welcome,” and “change.”
The Risk of Common Starter Passwords
These easy-to-guess passwords provide a tempting entry point for attackers. They can potentially bypass safeguards like multi-factor authentication (MFA) and gain initial access to employee-issued services. Before you can set MFA, you need to log in the first time with a password to then configure MFA. So [new-hire accounts] are quite a juicy target for any threat actors, especially if they’re pre-provisioned before the user starts.”
Common Compromised Passwords
Here are the eight most common base terms (often with slight variations) for day-one accounts:
User
Temp
Welcome
Change
Guest
Starter
Logon
Onboard
The issue with these passwords is that attackers can use brute force or cracking tools to guess these weak and common passwords. Moreover, these passwords can be compromised through reuse, as employees often use the same passwords for work and less secure personal devices, websites, and applications.
If you must send a password, make it complex and challenging to guess. You want to be putting horrible, nasty-type passwords that they are absolutely going to want to change. And they’ll never just change the last character. Then educate your staff about secure passwords using the NCSC advice of 3 random words “For3st.Skate.Shark?” (Please don’t use that one!!!)
Conclusion
In conclusion, the use of easy-to-guess passwords for new hires presents a significant security risk. Organisations must adopt better practices to protect their systems and data. By implementing complex passwords and using secure methods to share them, businesses can safeguard their new employees and reduce the risk of cyber attacks.
For more tips and advice on improving your cybersecurity practices, visit the South West Cyber Resilience Centre (SWCRC) website. Stay informed, stay secure.