Create a presentation on dictionary and brute force attacks, explain that passwords should be at least eight characters using upper and lower case characters and symbols, and discuss how simple it is to break most passwords. But I, and many other security professionals, have found that it's best to demonstrate the issue to prove your point.
Although educating these people on the vulnerabilities of weak passwords is critical, you usually need to get their attention and get them on board right away. Non-technical people eyes tend to glaze over if you start talking to them about password lengths and ways to make passwords complex. However, showing executives how easily and quickly one can crack their passwords, and explaining to them that you now have access to all of their files, usually gets their attention.
It's important to note that it is critical to get written permission for this activity before you attempt it. This can be viewed as an invasive attack if your customer does not understand and allow you to carry out this test. In the past, security professionals have learned this lesson by being arrested or fired, even though they did not have any malicious intentions.
This was first published in January 2006