Security And Not-so-techie Clients

[oligarchy314]

So I just finished my first big(er) project as an independant contractor, with a medium size apartment building. Working with existing cabling and wireless access points (read: consumer wireless routers) I replaced their aging Juniper firewall in the basement with a new firewall appliance (read: PC running m0n0wall).

Now my question is this: how do I explain in a diplomatic and professional manner that they should at least change the default passwords on all their equipment, if not start using much more secure passwords everywhere? I put a semi-strong password on the m0n0wall, but all the access points are admin:admin, their surveillance DVR uses admin:admin, even the wireless router in the sports bar on the first floor uses admin:password. If I can convince them it's a good idea to use better passwords, I would then write up some documentation for the network and write down the passwords so they won't have to remember them but would keep them in a safe place.

I'm looking for personal stories, and professional opinions. Thanks in advance.

[int0x80]

You are their professional. Give them your professional opinion as a recommendation or as part of the report in your deliverables. Definitely the latter, at the very least.

[CanadianTaco]

You are their professional. Give them your professional opinion as a recommendation or as part of the report in your deliverables. Definitely the latter, at the very least.

^this^

[oligarchy314]

Thanks, I will write up a recommendation that they move everything to more secure passwords, and add it to the final report on the project that will be included with the invoice.

Edited March 27, 2012 by oligarchy314

[Infiltrator]

Just be open and professional with them, explain the differences between a weak password and a strong password. Tell them the mistakes a lot of people make, when setting up their systems and how easily it can be for an outsider/intruder to gain access to the their system.

You can then go about explaining how dictionary attacks work and why in certain cases they are so effective. And that is very simple, people always tend to fall into the habit of using the same password, or passwords that are easy to remember like, password or 1234 or redroses1.

Moreover, if they can choose a password that is not in the dictionary or perhaps combine two words with special characters they will not only be making it difficult for an attacker to guess but it will make their system less vulnerable to dictionary attacks.

Edited March 28, 2012 by Infiltrator

[IrishFavor]

Depending on your clients level of understanding or point of view you may also want to relate this to how they use the network. For example if they are in using for back-office work and the only place they keep file is on a server it would be very feasible for an intruder to get into the network to change records such as who has paid rent for the month ect. I find that when explaining to the client showing them how it can affect their business but most importantly income they usually are very receptive to the solution.