Stopping password slacking for new hires in identity governance

At a glance

What this is: This blog examines why new hire password handoff still gets handled through insecure workarounds and how ephemeral secret delivery changes the onboarding flow.

Why it matters: It matters because onboarding is a core IAM control point, and insecure first-access handling creates avoidable exposure across human identity, shared credentials, and downstream lifecycle governance.

By the numbers:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.

👉 Read ConductorOne's blog on stopping password slacking for new hires

Context

New hire credential delivery is a governance problem, not a convenience problem. When the directory account exists before the employee can reach SSO, teams often fall back to Slack messages, email, shared spreadsheets, or phone resets to bridge the gap between provisioning and first login.

That gap sits at the intersection of human IAM, lifecycle management, and secrets handling. The control failure is predictable: identity is created before the onboarding channel is ready, so the secret moves through informal paths that are hard to audit, easy to copy, and difficult to revoke cleanly.

ConductorOne's post is typical of a common enterprise pattern rather than an edge case. The article shows how teams improvise around the chicken-and-egg problem, then layer in temporary vaulting and entitlement-based access to reduce exposure.

Key questions

Q: How should security teams handle new hire passwords without using Slack or email?

A: Use a controlled bootstrap process that delivers the password through a single-use, time-bound channel and verifies the recipient before disclosure. The goal is not to make password delivery convenient, but to prevent plaintext copies from spreading into chat, mailboxes, and informal forwarding paths that are difficult to revoke or audit.

Q: Why do plaintext password workarounds create a governance problem?

A: They create a governance problem because the secret is copied into systems that sit outside normal identity controls. Once a password appears in Slack, email, or a spreadsheet, the organisation loses clear evidence of who saw it, when they saw it, and whether those copies were ever removed.

Q: What breaks when first-day access depends on manual password handoff?

A: Manual handoff breaks auditability, increases secret replication, and delays access for new hires when help desk teams are busy. It also creates a recurring exception process that becomes normal, which means the control failure scales with hiring volume instead of shrinking over time.

Q: Who should own onboarding secret delivery and lifecycle control?

A: Identity and security teams should own the control design, while HR and IT should align on timing and verification. The ownership question matters because onboarding secrets are not just operational tasks; they are part of joiner lifecycle governance and should be treated like any other access decision.

Technical breakdown

Why plaintext password handoff keeps happening

The core issue is sequencing. A new hire often needs an account before their corporate email, SSO session, or device trust is ready, which creates a window where the organisation must transfer a secret through a channel the recipient can actually reach. In practice, that means the password becomes a temporary bootstrap mechanism rather than a durable credential control. The security problem is not the existence of the password itself, but the fact that the transfer path is usually outside normal identity policy and hard to evidence for audit.

Practical implication: replace informal handoff paths with a controlled bootstrap process that is auditable and time-bound.

How temporary vault delivery changes the exposure model

A temporary vault changes the exposure model by moving the secret out of email and chat and into a single-use retrieval flow. The secret is encrypted at rest, decrypted only after verification, and then removed after first use or expiry. That matters because the risk is not just theft in transit, it is persistence in multiple systems where the secret can be forwarded, searched, retained, or replayed. A one-view vault narrows the attack surface, but only if the verification step is tied to a trustworthy identity check.

Practical implication: use single-use retrieval and expiry controls so first-access delivery does not leave recoverable copies behind.

Why entitlement-tied access matters beyond onboarding

The ongoing-access pattern is different from one-time onboarding. Database passwords, API keys, and shared service credentials are often reused across teams, so access should follow current entitlement rather than a static distribution list. Tying vault visibility to grants means the secret is still present, but the right to view it changes as identity and access change. That aligns secret exposure with lifecycle governance instead of leaving it anchored to a stale mailing list or spreadsheet. This is classic identity control logic applied to shared secrets, not a separate security layer.

Practical implication: bind long-lived credential visibility to current entitlements and recertify that access on a regular lifecycle cadence.

Breaches seen in the wild

• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Plaintext password handoff is a lifecycle failure, not an onboarding shortcut. Teams treat the problem as a missing delivery channel, but the real issue is that identity provisioning and access readiness are out of sequence. Once a password is moved through Slack, email, or a spreadsheet, the control boundary has already been breached. The practitioner lesson is that onboarding must be designed as a governed identity handoff, not an exception path.

Bootstrap credentials create avoidable secret persistence. The first secret often gets copied into multiple places before the employee ever logs in, which increases the number of artefacts that must be searched, protected, and eventually removed. This is why ad hoc handoff is so hard to audit and why it tends to outlive the intended use case. The implication is that first-access processes should minimise secret replication from the outset.

Entitlement-tied visibility is the right model for shared ongoing credentials. When a database password or shared key is shown only to identities with the matching grant, secret access becomes part of IAM governance rather than an orphaned vault problem. That does not eliminate the credential, but it does align disclosure with current authorisation state. Practitioners should treat secret visibility as an access decision, not a convenience feature.

Lifecycle governance must include first-day access paths. Most IAM programmes focus on joiner, mover, and leaver events for application access, yet the onboarding secret handoff is often the first and weakest control point. The gap is especially visible where help desk, HR, and identity teams operate on different timelines. The conclusion is simple: if the first credential still needs improvisation, the lifecycle programme is incomplete.

From our research:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, which shows how weak lifecycle discipline remains across machine and human-adjacent access paths.
• That lifecycle gap is why teams should also review NHI Lifecycle Management Guide for provisioning, rotation, and offboarding patterns that reduce credential persistence.

What this signals

Plaintext onboarding secrets are a symptom of broader lifecycle drift. Once organisations rely on Slack or email to bridge first access, they are effectively accepting a second, undocumented identity system for one of the most sensitive moments in joiner flow. The programme signal is clear: onboarding must be measured as a control process, not as a help desk convenience. Teams that formalise bootstrap delivery will have fewer secret copies to chase later.

Secret delivery should be designed around retrieval, not retention. If the handoff mechanism creates permanent artefacts, the security model has already failed. A controlled bootstrap approach narrows that exposure, but only if the organisation also tracks where onboarding secrets are reused downstream, especially for shared credentials and privileged accounts. That is where the next governance gap usually appears.

Many teams still underinvest in lifecycle controls for credentials that are not user passwords. With 96% of organisations storing secrets outside secrets managers, the boundary between human onboarding and broader secret governance is already blurred. The practical next step is to connect first-day access, vaulting, and entitlement review into one lifecycle view rather than separate tickets and separate owners.

For practitioners

• Replace ad hoc secret sharing with a time-bound bootstrap flow Use a controlled delivery path that creates a single-use retrieval link, verifies the recipient, and expires automatically after first use or a short fixed window.
• Separate first-login credentials from ongoing shared secrets Treat new hire password delivery as a one-time onboarding step, then move database passwords and shared keys into entitlement-tied vault access for steady-state use.
• Audit every copy path for plaintext credentials Search for Slack threads, email forwarding, spreadsheets, screenshots, and help desk scripts that can preserve passwords beyond the intended handoff.
• Tie credential visibility to current access grants Require vault access to follow live entitlement state so that when a user loses the grant, they lose the ability to retrieve the secret as well.

Key takeaways

• New hire password slacking is a lifecycle control failure that creates secret replication and weak auditability.
• Ninety-six percent of organisations store secrets in vulnerable locations outside secrets managers, which shows the scale of the exposure problem.
• Time-bound bootstrap delivery and entitlement-tied access are the controls that reduce first-day password risk without relying on informal workarounds.

Key terms

• Bootstrap Credential: A bootstrap credential is a temporary secret used to get a new identity into its first trusted session when normal access paths are not yet ready. In identity governance, it should be time-bound, single-use, and auditable so it does not become a permanent side channel.
• Entitlement-Tied Visibility: Entitlement-tied visibility means a secret can only be viewed by identities that currently hold the relevant access grant. It keeps disclosure aligned with lifecycle state, which is especially important for shared passwords, database credentials, and other ongoing access that should not follow stale distribution lists.
• Single-Use Secret Delivery: Single-use secret delivery is a pattern where a credential is exposed only once and then destroyed or expires immediately after use. It reduces copying, forwarding, and retention risk, but it still depends on strong recipient verification and a trustworthy control plane.

Deepen your knowledge

New hire secret delivery and lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your onboarding process still depends on ad hoc password handoff, it is worth exploring.

This post draws on content published by ConductorOne: Stop Slacking Passwords to New Hires. Read the original.