New hire password handoff: what IAM teams need to fix

TL;DR: Plaintext password handoff for new hires persists because teams still have to bridge the gap between account creation and first-day access, according to ConductorOne. The underlying problem is not delivery convenience but the assumption that human-paced onboarding can safely rely on ad hoc secret sharing.

NHIMG editorial — based on content published by ConductorOne: Stop Slacking Passwords to New Hires

By the numbers:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.

Questions worth separating out

Q: How should security teams handle new hire passwords without using Slack or email?

A: Use a controlled bootstrap process that delivers the password through a single-use, time-bound channel and verifies the recipient before disclosure.

Q: Why do plaintext password workarounds create a governance problem?

A: They create a governance problem because the secret is copied into systems that sit outside normal identity controls.

Q: What breaks when first-day access depends on manual password handoff?

A: Manual handoff breaks auditability, increases secret replication, and delays access for new hires when help desk teams are busy.

Practitioner guidance

• Replace ad hoc secret sharing with a time-bound bootstrap flow Use a controlled delivery path that creates a single-use retrieval link, verifies the recipient, and expires automatically after first use or a short fixed window.
• Separate first-login credentials from ongoing shared secrets Treat new hire password delivery as a one-time onboarding step, then move database passwords and shared keys into entitlement-tied vault access for steady-state use.
• Audit every copy path for plaintext credentials Search for Slack threads, email forwarding, spreadsheets, screenshots, and help desk scripts that can preserve passwords beyond the intended handoff.

What's in the full article

ConductorOne's full blog covers the operational detail this post intentionally leaves for the source:

• The exact Paper Vault delivery flow for first-day password handoff across email verification and SSO verification paths
• The connector-level encryption sequence used when setting passwords in AD, Entra ID, Google Workspace, and Okta
• The one-view expiry model for temporary vault access, including configurable retention and self-destruct behaviour
• The entitlement-based App Vault access model for ongoing shared credentials and how it maps to access grants

👉 Read ConductorOne's blog on stopping password slacking for new hires →

New hire password handoff: what IAM teams need to fix?

Explore further

View Full Forum →  |  NHI Foundation Course →