What credentials should a new employee receive on day one?

A new employee should receive: their company email login (with a generated temporary password requiring change on first login); an invitation to the company password manager; individual credentials for each system they need access to (CRM, project management, communication platforms); and MFA enrollment on all systems. They should not receive shared credentials written on paper or in a welcome email. All initial credentials should be generated by the password manager and shared via its secure sharing feature.

Should new staff use their personal email for work systems?

No. All work system accounts should be created with the company email domain where possible. Using personal email for work tools creates off-boarding complications (the departing employee controls their email and thus can reset passwords), data sovereignty issues (work data in a personal account), and GDPR concerns. Ensure all SaaS tools and cloud services use @yourcompany.co.uk accounts.

How should we handle probation period access controls?

Staff on probation can be given access to the general company collection in the password manager without admin access. Sensitive collections (finance, admin systems) can be provisioned after probation completion. This is not primarily a distrust mechanism — it reduces blast radius if a probationary employee account is compromised, and it naturally limits data access in line with the principle of least privilege.

What is the off-boarding equivalent of the onboarding checklist?

When an employee leaves, complete the reverse: disable or delete their email account; revoke their access to the password manager and all shared collections; change any shared credentials they had access to; retrieve or remotely wipe any company devices; revoke their SSO and MFA tokens; and update emergency contacts in any security tools that listed them. Run through the list with IT on the employee's last day, not after they have left.

How do we manage temporary or contractor access?

Create a dedicated temporary or contractor collection in the password manager. Grant contractors access to only what they need for their engagement. Set calendar reminders to revoke access at contract end. Do not add contractors to the general staff credential collections. If a contractor uses their own device, ensure they do not retain any company credentials locally — work credentials should be accessed via the password manager, not saved to the browser on a personal device.

HR Security Onboarding: The Password Checklist

A new employee's first day is one of the most common sources of credential security failures. In the rush to get someone productive quickly, it is tempting to share a general password, let them reuse their previous company's credentials, or defer security setup to "later in the week." This checklist structures the process to prevent those shortcuts from creating lasting vulnerabilities.

Day-One Security Checklist

☐ Create company email account with generated password (not the employee's name or a default)
☐ Enable MFA on company email — walk the new employee through setup on day one
☐ Invite to company password manager — provide vault and shared collections appropriate to their role
☐ Create individual credentials for each system they need — generated by the manager, not shared verbally
☐ Enrol on any SSO (Single Sign-On) system — test that logins work before end of day
☐ Provision laptop or device with disk encryption enabled and confirmed
☐ Brief on the password policy — 15 minutes, not a document to read later
☐ Confirm emergency contact for account recovery in case of device loss

What Not to Do

Do not email a password — even temporarily. Use the password manager's secure sharing
Do not create an account using a generic name like "[email protected]" — accounts must be individual
Do not skip MFA setup because it "takes too long" — the cost of a compromised account far exceeds 15 minutes
Do not give access to sensitive collections (finance, admin) until role requires it and probation is complete

HR onboarding new employee access control password setup security checklist

For informational purposes only. Consult a qualified IT security professional for advice specific to your organisation.

← Setting Up a Password Manager for Your Team BYOD Password Risks and How to Mitigate Them →