2025-10-30 –, Main Stage
Have you ever encountered some hashes in a pen-test, cracked them only to find the results to be anywhere from “not great” to “downright depressing”? We have, and it encouraged us to implement monthly password cracking cycles. We use the results as a driving force to change behaviour around password usage. This talk will not be a technical deep dive on password cracking; rather, it will focus on how to use the results to get people to change their password behaviour. I will share the approaches we tried at Mediahuis: why quite a few didn’t work, which approaches did work, and some of the obstacles we’ve encountered along the way.
In 2018, a pen-test revealed that almost 40% of Mediahuis Nederland hashes were easy to crack. We had previously run several generic awareness campaigns around strong password usage, but these had limited effect. Knowing the results weren’t great and that generic campaigns have limited impact, we wanted to make colleagues aware if they were using a weak password, and that they should change it, while also making it so that the security team don’t see their passwords.
We built a program for monthly password cracking (or password strength testing, as it is called within Mediahuis). We obtained buy in from board and workers council and started the testing cycles. I will share some brief information on our testing set-up, this will not be a deep dive since there are already many clear write-ups on how to crack passwords. I will also share how we developed our testing criteria.
But testing alone will change nothing. So, we developed a communication strategy to get our colleagues to change their password behaviour. Mediahuis has entities in 5 different countries, and we have needed to adapt our communication strategy to fit local cultures. Along the way we have tried various different approaches, and I will share what, in our experience, are the advantages and disadvantages of the options we’ve tried. We have encountered obstacles and resistance to change during this project, and I will share what we’ve encountered and how we dealt with it. Currently Mediahuis is down to a maximum of 1% of easily crackable passwords across all entities, with most entities being at 0 weak passwords.
Nynke is a technical information security officer at Mediahuis with 7 years of experience in information security, including 5 years with Mediahuis. Nynke has been focused on both technical security implementation and security awareness during her time at Mediahuis.