Sharing Credentials During Employee Onboarding: A Secure Approach

Employee onboarding inevitably involves sharing credentials: email passwords, VPN access, cloud service logins, database credentials, and more. How your organization handles this process has significant security implications. Here's how to do it right.

The Common (Insecure) Approach

Most organizations default to one of these methods:

• IT sends credentials via email to the new hire's personal email
• Credentials are written on a sticky note and left on the desk
• A shared spreadsheet contains all standard passwords
• The manager texts or Slacks the password to the new hire

Every one of these methods creates a persistent record of the credential that can be discovered in a future breach.

A Better Workflow

Here's a secure onboarding credential flow that takes minimal extra effort:

Step 1: Prepare Credentials

Before the new hire's start date, gather all the credentials they'll need. Format them clearly:

Email: jane.doe@company.com
Temporary password: [password]
VPN: vpn.company.com
VPN password: [password]
Slack workspace: company.slack.com
Cloud console: console.company.com

Step 2: Create Encrypted Self-Destructing Links

Use Only Once Share to create separate encrypted links for each set of credentials (or one link for all):

• Set the expiration to match the onboarding timeline (24h is typical)
• The link encrypts everything in the browser with AES-256-GCM
• Your IT team never needs to type passwords into email

Step 3: Share the Links

Send each link to the new hire through your standard communication channel. Even if that channel (email, Slack) is later compromised, the links will already be expired and the data destroyed.

Step 4: Require Immediate Password Changes

Set all initial passwords as temporary and require the new hire to change them on first login. This is the most critical step — it ensures the shared credential has the shortest possible lifespan.

Step 5: Transition to a Password Manager

Once the employee is set up, enroll them in your organization's password manager for any ongoing shared credentials (team service accounts, shared tools, etc.).

Handling Different Credential Types

Email / SSO

Share the temporary password via encrypted link. If your organization uses SSO (Google Workspace, Okta, Azure AD), the IT admin can set a temporary password and share it securely. Enable MFA as part of the setup process.

VPN / Network Access

VPN credentials are particularly sensitive because they grant network access. Share via encrypted link and rotate the credential after the employee confirms connectivity.

Cloud Services

For AWS, GCP, Azure, and similar services, prefer IAM roles and SSO over shared credentials. When individual access keys are necessary, share them via encrypted link and set rotation reminders.

Database Access

Database credentials should ideally be managed through a secrets manager integrated with your application. For direct access during development setup, share connection strings via encrypted link.

Audit Trail

While self-destructing links intentionally don't leave a record of the secret content, you should maintain a record of what was shared (not the passwords themselves) for compliance purposes:

• Log which systems the new hire was given access to
• Record the date credentials were shared
• Track whether initial passwords were changed
• Note the onboarding checklist completion

Conclusion

Secure credential sharing during onboarding doesn't need to be complicated. Use encrypted self-destructing links for the initial handoff, require immediate password changes, and transition to a password manager for ongoing access. This approach takes roughly the same amount of time as sending an email — but eliminates the persistent security risk that email creates.