Bottom line: Temporary onboarding passwords distributed via email or SMS and not consistently changed create unnecessary security risks for companies and violate NIS2 standards.
In employee management, temporary passwords are frequently distributed over insecure channels like email or SMS and subsequently not properly changed. This creates persistent security gaps that contradict regulatory requirements.
The onboarding process for new employees places time pressure on IT teams: devices, accounts, permissions, and passwords must be provisioned within tight timeframes. This often happens through the distribution of a temporary password for the first day of work.
The core problem lies in practice: these passwords often remain non-temporary. They are sent via email or SMS, reused across multiple accounts, and not changed by employees after their initial login. This practice contradicts NIS2 requirements and creates vectors for unauthorized access through credential interception or brute-force attacks.
From a CISO perspective, this is a compliance and security risk: weak or reused standard passwords significantly increase the attack surface, especially when transmitted over unencrypted channels. Regulatory requirements such as NIS2 mandate secure credential handling and authentication from the point of first access provision.
Solution approaches include: deployment of one-time passwords (OTP), time-limited credentials with forced change on first login, secure out-of-band distribution (physical or via separate channels), and automated compliance audits of onboarding workflows. A documented and regularly reviewed onboarding policy is required to meet both security and audit requirements.
Source: thehackernews.com · Published June 15, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrasing and classification by Lumi News Pipeline v1.7.1.