Free Cyber Security AssessmentGet your personalised report in under 10 minutes
TheLogic IT Solutions Logo20 Years in Business
← Back to Resources

Cyber Security

Secure Info Registration: Getting Credentials to New Starters Safely

Updated 22 April 2026

A new starter joins on Monday. On Sunday night, the manager emails them a Gmail address with their temporary Microsoft 365 password, the Wi-Fi key, the office alarm code, and because it's easier, the shared admin login for the finance software. Everyone does this. It's also how most credential leaks start.

This guide is a simple pattern for handing over sensitive info to new starters without creating a mess.

Why email is the wrong tool

A few reasons:

  • It sits in the inbox forever. Indexed, searchable, backed up, sometimes synced to personal devices.
  • You don't know who else has access to the recipient's email provider, especially if it's a personal address.
  • If the account is ever compromised (either yours or theirs), the attacker gets a ready-made bundle of credentials to try.
  • Auditing is impossible. You can't revoke access to an email you've already sent.

The fix isn't complicated: use tools designed for this.

The two-tool pattern

For the vast majority of SMEs, you need two things:

  1. A business password manager, Keeper, LastPass, 1Password. Any of them.
  2. A secure one-time-share tool, built into the password manager, or standalone (PrivNote, Bitwarden Send).

With those two in place, your onboarding process looks like this:

Day of offer acceptance

  • Create the starter's Microsoft 365 account with a long random temporary password.
  • Flag "User must change password at next sign-in", this is non-negotiable.
  • Enforce MFA registration on first sign-in (see our MFA guide).
  • Add the user to your password manager tenant with a pending invite.

Day one, initial credentials

  • Send the temporary password using a secure one-time-view link (Keeper's One-Time Share, LastPass's One-Time Password, or a standalone tool like PrivNote). The link self-destructs after one view or after a set time.
  • Verbally confirm the username and where to sign in, over a phone call or in person, not in the same email.

The starter clicks the link, reads the password, signs in, is forced to set their own password, and registers MFA. Nobody has it sitting in their inbox.

Week one, shared credentials

Once they're logged in, use the password manager to share access to anything shared:

  • Team accounts for third-party tools
  • Office Wi-Fi key
  • Shared inbox access (assigned via M365, not by sharing a password)
  • SaaS logins that don't support proper user provisioning yet

Everything they get should be shared through the password manager's sharing feature, not copy-pasted into a document. That way when they leave, you revoke access in one click and every password auto-rotates on anything set up to do so.

Things that should never be shared this way

Some things shouldn't be one-off shared at all, they should be properly provisioned:

  • Admin credentials for business-critical systems, each admin gets their own account, period. No one logs in as "admin@".
  • Payment card data, never in plaintext anywhere, use a proper provider like Stripe Issuing or your bank's delegated card controls.
  • Signing certificates, SSH keys, use proper secret management (Azure Key Vault, AWS Secrets Manager, or your password manager's secrets/records feature with strict access controls).

A checklist you can copy

For every new starter:

  • Account created with random temporary password
  • "Must change at next sign-in" enabled
  • MFA registration required on first sign-in
  • Temporary password sent via one-time-view link (never plain email)
  • Wi-Fi key shared via password manager (never pinned in the office)
  • Shared tool access provisioned via password manager
  • Role-based permissions set (not "full access because it's easier")
  • Leaver checklist documented at the same time

That last one matters. If your onboarding is tight but your offboarding is messy, you'll accumulate orphan access. Every hire should trigger writing the matching leaver steps into the system.

Why this is worth getting right

Most of the breaches we investigate don't start with a sophisticated attack. They start with a password that was shared by email years ago, saved in a personal Gmail, which later got phished. By the time the business notices, the attacker has been sitting in the finance system for weeks.

Cleaning up your onboarding process is boring. It's also the single highest-leverage thing a small business can do for its security posture. Do it once, write it down, and every future hire is protected.

Need help setting up a business password manager or tightening your onboarding? Let us know.