Problem solve Get help with specific problems with your technologies, process and projects.

How to convince executives to use stronger passwords

In this Ask the Expert Q&A, Shon Harris discusses tools and tactics you can use to convince exectuives that there is a need for stronger passwords within an organization.

I am working on a security project initiated by a provincial government (in Canada). I have to make the executives accept that we need stronger and more robust passwords. Do you have any suggestions?
To be honest, I would just get their written permission to be able to carry out password cracking on their environment and show them your results. I would just use L0phtcrack, John the Ripper or one of the many other password cracking tools on the market.

Create a presentation on dictionary and brute force attacks, explain that passwords should be at least eight characters using upper and lower case characters and symbols, and discuss how simple it is to break most passwords. But I, and many other security professionals, have found that it's best to demonstrate the issue to prove your point.

Although educating these people on the vulnerabilities of weak passwords is critical, you usually need to get their attention and get them on board right away. Non-technical people eyes tend to glaze over if you start talking to them about password lengths and ways to make passwords complex. However, showing executives how easily and quickly one can crack their passwords, and explaining to them that you now have access to all of their files, usually gets their attention.

It's important to note that it is critical to get written permission for this activity before you attempt it. This can be viewed as an invasive attack if your customer does not understand and allow you to carry out this test. In the past, security professionals have learned this lesson by being arrested or fired, even though they did not have any malicious intentions.

More Information

  • Learn how to crack your own network passwords before a hacker does, to mitigate the risks posed by weak passwords.
  • Learn more about the importance of secure passwords.

  • This was last published in January 2006

    Dig Deeper on Password management and policy

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.