When we run across something that we do not understand we usually let our more ignorant side take over. We tend to say things such as “that’s dumb” or “that person must have been crazy” when we do not understand the decisions that others have made. But sometimes you have to take a step back and look at through those people’s shoes. You have to step back to be able to see their thought process and understand why they made the decision that they did.
When you are in charge of security for your office you have to be able to do that as well. You have to really step back and understand the thoughts and minds of the people that you work with. It is only then that you will be able to really create a system that they will be able to work with. If you try to force a system down their throats that they do not like then they will rebel against you and try their best to do things the way that they like to do them. But if you really sit back and talk to the people you will be able to understand their mind state and be able to accommodate them better. In the end that leaves everyone happy that a middle ground has been reached.
As a security expert it can be hard to understand why people choose weak passwords in the first place. But you have to realize that you do not understand it because you have years of experience and training under your belt. It is not a foreign language to you anymore. Even when you are telling the people who you are securing why certain passwords are a bad idea, they do not get your reasoning why. They do not understand how a computer works or how a remote black hat hacker can come across the lines and do a brute force attack on weak passwords.
People pick weak passwords for many reasons but the number one reason is because they are easy to remember. The average person has a number of numbers and codes that they have to remember each day. They have to remember phone numbers, and ATM pin codes, and other people’s names. With your password at work you are just giving them something else that they have to stuff in their brains. So in order for them not to feel overwhelmed they make the password out to be something simple. And it is most likely a password that they have used somewhere else besides work. This combination makes it doubly unsafe.
For you to be able to counteract this kind of thinking, you are going to have to really break down to people why picking passwords in this manner is really dangerous. But you have to put it in terms that they understand. Leave out as much of the technical part that you can. Each word you add in that is considered to be technical is another word where they start to drift off and do not listen to you anymore. If talking to them does not work then you have to take matters into your own hands and you must set up a system where you make the passwords for them instead.
Do not look down on people who do not understand security when it comes to computers. They are not trained in it like you are. You have to have patience when you are trying to secure them. If not then they will simply just try to work against your rules.