EXPERT RESPONSE
To be honest, I would just get their written permission to be able to carry out password cracking on their environment and show them your results. I would just use L0phtcrack, John the Ripper or one of the many other password cracking tools on the market.
Create a presentation on dictionary and brute force attacks, explain that passwords should be at least eight characters using upper and lower case characters and symbols, and discuss how simple it is to break most passwords. But I, and many other security professionals, have found that it's best to demonstrate the issue to prove your point.
Although educating these people on the vulnerabilities of weak passwords is critical, you usually need to get their attention and get them on board right away. Non-technical people eyes tend to glaze over if you start talking to them about password lengths and ways to make passwords complex. However, showing executives how easily and quickly one can crack their passwords, and explaining to them that you now have access to all of their files, usually gets their attention.
It's important to note that it is critical to get written permission for this activity before you attempt it. This can be viewed as an invasive attack if your customer does not understand and allow you to carry out this test. In the past, security professionals have learned this lesson by being arrested or fired, even though they did not have any malicious intentions.
More Information
Learn how to crack your own network passwords before a hacker does, to mitigate the risks posed by weak passwords.
Learn more about the importance of secure passwords.
|
