Create a presentation on dictionary and brute force attacks, explain that passwords should be at least eight characters using upper and lower case characters and symbols, and discuss how simple it is to break most passwords. But I, and many other security professionals, have found that it's best to demonstrate the issue to prove your point.
Although educating these people on the vulnerabilities of weak passwords is critical, you usually need to get their attention and get them on board right away. Non-technical people eyes tend to glaze over if you start talking to them about password lengths and ways to make passwords complex. However, showing executives how easily and quickly one can crack their passwords, and explaining to them that you now have access to all of their files, usually gets their attention.
It's important to note that it is critical to get written permission for this activity before you attempt it. This can be viewed as an invasive attack if your customer does not understand and allow you to carry out this test. In the past, security professionals have learned this lesson by being arrested or fired, even though they did not have any malicious intentions.
Dig Deeper on Password Management and Policy
Related Q&A from Shon Harris, Contributor
When it comes to firewalls, the networking group often handles the installation, while the information security department writes the rules. Should ...continue reading
In today's security world, it's hard to keep track of each and every management standard and auditing procedure. In this SearchSecurity.com Q&A, ...continue reading
Before you begin putting the pieces of your security program together, you may want to have a look at ISO 27001. In this expert Q&A, Shon Harris ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.