Cybersecurity

Specops study finds new-hire passwords commonly compromised

A study found plenty of “starter” passwords in a pile of compromised credentials.
article cover

Ftiare/Getty Images

· 3 min read

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

A study from Specops Software, released on May 14, found some items that should probably stay out of the new-hire welcome package: easy-to-guess, temporary passwords.

After scanning over 651 million malware-compromised credentials over the last year, a team at the password security company found 120,000 that contained terms common to new-hire credentials—logins like “user,” temp,” “welcome,” and “change.”

Compromising common starter passwords allows attackers to potentially get around safeguards like multi-factor authentication (MFA) and to potentially get first access into employee-issued services.

“Before you can set MFA, you need to log in the first time with a password to then configure MFA. So [new-hire accounts] are quite a juicy target for any threat actors, especially if they’re pre-provisioned before the user starts,” Darren James, Specops senior product manager, told IT Brew.

In May 2023, the industrial cybersecurity company Dragos detailed how a criminal group initiated its onboarding process—not via a company-issued, first-day password, however; the group compromised a new hire’s personal email account, according to the Dragos post.

Among the heap of found-to-be-compromised passwords, the Specops report revealed eight of the most common base terms (often given slight variation) for day-one accounts:

  • User
  • Temp
  • Welcome
  • Change
  • Guest
  • Starter
  • Logon
  • Onboard

“This is an issue, as attackers can use brute force or cracking tools to guess end users’ weak and common passwords. They can also become compromised via password reuse, when end users reuse work passwords on less secure personal devices, websites, and applications,” the Specops report read, also mentioning that its research suggests end users sometimes simply keep their first-day password or make only a slight alteration.

In Verizon’s recently released Data Breach Investigations Report, the company found that of the 1,997 web-application attacks that occurred between November 1, 2022, and October 31, 2023, 77% involved the hacker gaining access via stolen credentials, and 21% used brute force to discover “usually easily guessable passwords.”

While some IT departments onboarding new employees share plaintext passwords via text or email, James had fairly straightforward advice: Don’t send the password. (Specops has a First Day Password feature that keeps a cached credential on a new device and immediately prompts a user to set a complex password via an enrollment link. )

Andras Cser, vice president, principal analyst at market research company Forrester, recommends an option like an authenticator app, which sends a push notification through a secure connection; the presented code is based on a shared key between the app and code server.

“Leaving a password right with the manager is never a good idea,” Cser told IT Brew.

And if you have to send a password, make it tough—like, really tough, according to James.

“You want to be putting horrible, nasty-type passwords that they are absolutely going to want to change. And they’ll never just change the last character,” James said.

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.