Petya Ransomware Strikes Businesses Globally

petya ransomware screen

Petya, the next major security malware since Wannacry is specifically targeting companies across the globe.  Originating from the Ukraine, the Petya ransomware uses the same Eternalblue/MS17-010 vulnerability that was used with Wannacry.  The difference this time is there is no kill switch that we know of.  It’s getting some significant traction, infecting systems everywhere.  In the US, it’s hit a major pharmaceuticals company and a food services company.  Petya has also hit Danish, French, and Russian companies.

Similar to Wannacry, the malware virus is encrypting systems and demanding a ransom to get access to the data.  Our research has not found a way to bypass this ransom at this time.  Fortunately, it seems that working decryption keys are being provided once paid.

It’s not just ransomware

Unfortunately, there’s much more to this variant.  Once the ransomware gains a foothold, it has worm capabilities and is breaching other systems using a variety of exploitation methods.  It appears to be focused on critical infrastructure across the world, but is not limiting devices it infects by any means.  Various news sources have reported that power plants in the US and other countries have been breached. If this turns out to be a successful attack, it is quite scary to think about the damage that could occur.

For those who don’t remember, you can thank the NSA for this. The NSA had developed a tool that could breach Windows systems remotely using an exploit that was previously undisclosed.  The Shadow Brokers hacker group obtained the source to the NSA tool and leaked it on April 14, 2017.

Stop PETYA with a penetration test

When it comes to ransomware, we haven’t found a good way to reactively deal with the damage.  Even once the ransom is paid, it is very likely that the attackers will return again in the future.  Particularly if they know that they’ve received payment in the past.  The only real way to defend against Petya is to eliminate the vulnerability from the beginning, and a penetration test from a trusted third party might be the only real way to know you’re protected.

Petya (and Wannacry) uses the Eternalblue vulnerability in SMB, fixed by MS17-010.  Systems are still falling victim, even when the organization has a patch management program.  Mistakes with configuring the vulnerability scanning tool, or unknown systems to the patch management tool will cause a few systems to remain vulnerable and outside of the view of the security administrators. A penetration test can find these gaps in process before malware can exploit these systems.  In addition, the penetration test will attempt to exploit any issues found as a proof of concept – providing you and your security organization proof that a potentially significant security event was avoided.

Schedule a penetration test with Raxis before the next malware variant hits.

petya ransomware screen
An actual screen generated from the Petya malware

Physical Security Pitfalls: What our physical assessments show us

Physical Security Pitfalls

A Strong Front Door

An effective information security program is built upon a strong physical security strategy. After all, if an attacker can breech your physical security all of the network controls are more easily mitigated. On average our internal network penetration tests yield an 85% success rate. Once an attacker physically gains access to network connectivity, the chances of a data breech become exponentially higher. The role of a physical security strategy is to prevent an attacker from gaining tangible access to company resources so that secondary attacks are not possible.

Raxis is frequently retained to test the physical security of corporations in various verticals. We utilize many techniques in our attempt to gain unauthorized access via highly technical approach vectors such as RFID badge cloning and IR cameras to simple social engineering pretexts.

We average an 85% success rate on internal network penetration tests

We commonly find that companies implement technology and processes that, on the surface, lend the impression of safety. Often, however, these controls are ineffective against a capable adversary, thus the net result is that the attack surface gains complexity without benefit, making the organization more vulnerable to targeted attacks.

While some companies go to such lengths as employing security guards, both armed and unarmed, the presence of such personnel often provides a false sense of security. While they are excellent visual deterrents, security guards are only one component of a robust security strategy for physically safeguarding your critical data.

Likewise, hi-tech security measures such as proximity cards and cameras often help an organization feel more secure, but the reality is these technologies add complexity and require additional resource overhead to maintain their effectivness. Highly technical physical controls often can be hacked and, if not properly managed, sometimes leave a facility more vulnerable than it would be without them.

Here is a sampling of the attack vectors we have employed in the past to circumvent physical security controls and gain unauthorized access to a facility:


Poorly Trained Employees / Employees with a Casual Approach to Security:

At the end of the day a company’s best defense is a well-trained and vigilent employee. The popular phrase, “if you see something – say something” is incredibly important. Employees know better than anyone else what is out of the ordinary – be it a suspicious package or a person. Employees need to be trained in secure practices, and given the authority to challenge or report anything or anyone that seems out of place.

Often employees are lulled into a false sense of security through observational confirmation bias. They believe if someone has made it past the guard and is on the floor they must have permission to be there. This is reinforced by social behavior tendencies that make it uncomfortable to confront unknown individuals. A fundamental tenant of aweareness training is to re-train employees to practice heighted vigilance in the workplace. Raxis consultants bypass guards and other countermeasures regularly while conducting engagements for our clients. In every one of those cases, if an employee had simply recognized us as being outside of the normal and challenged us to to confirm the legitimacy of our presence, our attempts at compromise would have been thwarted. The reality is that most individuals do not feel comfortable with confronting someone in an office setting. This is a behavioral tendency that social engineering attacks exploit to lend legitimacy to a given pretext.

The better an employee is trained to question people and events that are unfamiliar, the more robust the organization’s security posture will become.


Proximity Badges

Many companies fall prey to the false sense of security that arises when using RFID proximity card access control systems. In practice, many of these systems can be easily hacked electronically without the employee’s knowledge.

For less than $600 and the ability to do a Google search one can obtain step by step instructions in making a weaponized badge reader that can be used to acquire an employee’s RFID badge data from a distance for later cloning.

In many cases, an old fashioned tumbler lock and key would offer greater peace of mind.


Lack of Photo Badging

To make matters worse, many companies that leverage badge access systems do not utilize personalized badges with employee photos. This may be due to a myriad reasons from budgeting to lack of headcount to manage such a program, to the level of effort to upgrade from legacy systems, or other business drivers. Even in environments where photo badges are prevalent, employees often do not take the time to verify that the photo on the badge is actually that of the person carrying it.  Indeed, a surprising number of companies feel satisfied simply using a white proximity badge without any type of accompanying credentials.

Proximity badges, if possible, should be paired with a photograph credential that validates the individual’s identity and indicates the level of access that person should be given. All visitors should have to sign in and in many cases be escorted while on premise.

Even the most robust badging system is completely innefectual unless employees are required to use it consistently. The physical layout of the office reception area plays heavily into enforcing access policies. Along with the photo ID the form factor of the office should require that each person must pass through a checkpoint (even if it’s a receptionist) to show their ID and perform the badge swipe.


Unmonitored Cameras

The use of video surveillance systems is another means by which a false sense of security can manifest.  In many cases, the cameras are either not functioning or are feeding directly to a DVR to provide investigative collateral after a security event has occured. The reactive use of surveillance systems negates the benefits of the added visibility they provide.The challenge is that most of the places we breech don’t even know we were there. We walk in, do our thing and exit. The company does not know to investigate because an incident response was never triggered; they were not leveraging their surveillance technology proactively.

In many cases, if the company had security personnel charged with monitoring the cameras, a security breach could be stopped before it happened, rather than investigated after the fact when the damage has already been done.

While cameras are an effective deterrent to many attackers, they must be used correctly and as part of a larger strategy lest they once again facilitate a false sense of security.


What You Can Do

The importance of awareness training can not be overstated. Understanding the role that company culure contributes to the level of employee vigilance offers critical insight into the implementation of any security training program.. The goal is not to make your employees paranoid or uncomfortable, but to help them develop a sense of situational awareness in the workplace. Empower them to report anything that is out of the ordinary and to know that it’s part of their job to do so. A formal security reporting process that is well understood will assist with streamling response efforts.

Recognize the limitations and vulnerabilities of your security systems. It is often said that security is a process. An effective security program encompasses dynamic layers of controls in which weaknesses are identified and mitigated through compensating controls.

Test the effectiveness of your systems regularly. Utilize an outside assessment firm such as Raxis to partner with you and your team and assess your performance. Tests such as these are critical to understanding the strengths and weaknesses inherent in any security strategy and how to best utilize available technology to increase the organization’s resilience to attack.

We hope you’ve found this article insightful. Below is a short video that illustrates a typical engagement for Raxis. This video will demonstrate some of the techniques employed to by Raxis consultants to infiltrate a facility, establish persistence, and exfiltrate sensitive information – all without the company being aware.

Vulnerability Scan Vs Penetration Test: What’s The Difference

What's the difference between a vulnerability scan and a penetration test

Many people seem confused when it comes to understanding the difference between a vulnerability scan and a penetration test. This article will examine the differences between the two and help guide you with decision points in making the right choice for your needs.

Vulnerability Scan

A vulnerability scan is conducted using an automated tool that is purpose built to identify potential security gaps on a remote system. This ‘vulnerability scanner’ sends targeted traffic to ports and services on systems and analyzes the responses in an attempt to identify the presence of a vulnerability. At the completion of the scan, a report is generated. The engineer that initiated the scan designates what type of report to generate depending on the specific requirements with regards to verbosity, margin of error, intended purpose, or other business drivers. Some reports are hundreds of pages detailing each individual “finding” while others are as simple as a two page summary.

Because a vulnerability scanner has a limited means with which to validate the presence of a vulnerability, the accuracy of the output may be suspect. Depending upon the scanner configuration and the target system, a report may contain a myiad of false positives or fail to identify legitimate vulnerabilities. The end result is that a security engineer has a laundry list of possible flags to chase down and attempt to verify the validity of the issues as well as develop a solution.

Penetration Test

A penetration test is a real-world exercise at infiltrating your network systems. To such ends, a security engineer will utilize many tools (including in some cases a vulnerability scan). Wheras vulnerability scanning is a largely automated process, penetration testing involves manual and targeted testing using specific toolsets and custom scripts. Using a combination of techniques and technical knowledge, the penetration tester focuses their efforts on areas of exposure that likely constitute a legitimate risk to an organization’s security.

Having identified likely insertion points, the penetration tester will actively attack gaps in the network’s security posture. The execution of a practical attack using the same methodologies that an actual attacker would employ is the most effective way by which to ascertain the real world exposure of a given system or network.

As the engineer begins to infiltrate the system he or she will take detailed notes and screen shots documenting the process. The goal is to articulate to the customer the nature of the exposure, and how its presence helped to facilitate a compromise.

A seasoned penetration tester will provide a detailed report outlining the various vulnerabilities as well as the severity of each finding within the context of the business, something that a vulnerability scanner cannot provide. The result is an actionable report that provides validation of exposures and targeted guidance on remediation measures.

Which is Best

A true penetration test by a qualified engineer is most often the best overall value for a business. Not only does the stakeholder gain an understanding of the workflow of a real-world attack they also get specific guidance from the Which one to chooseperspective of an attacker on what measures would be most effective in thwarting validated attacks. This is articulated in the context of the business drivers of the organization. The end result is that the security organization can focus their efforts where they are most effective and prioritize remediation tasks based on real-world data.

A penetration test is more expensive because of the thoroughness of the assessment and the greater value of the outputs. A vulnerability scan is a good starting point and may achieve the bare minimum of satisfying compliance mandates. An organization that understands the difference between compliance and security, however, will endeavor to move beyond automated outputs and seek to understand the practical nature of their security posture.

Are All Penetration Test The Same

The short answer is no. When you are shopping for a penetration test there are several things you should consider:

  1. Get a sample report – some companies are much more informative in their documentation and a sample report will reflect what you should expect to receive.
  2. History – ask about the team and their experience working with organizations of a similar caliber.
  3. Diversification – find out the background of the team members; the technical expertise brought to bear during the test should be appropriate to the technologies that your organization utilizes.
  4. Duration of test – based on your specific situation ask how long the assessment should take to perform. This may be governed in part by the scope of assessment or other logistical factors.
  5. Their level of specialization – do they only offer penetration testing or do they also provide other products and services.

Each of these questions will give you insight to the quality of assessment you’ll receive. Especially in security, the relationship between cost and value is subject to variation. Determine if the team is going to spend adequate time on your assessment and if their security engineers have the expertise for your specific situation. Compare reports and insure the report will satisfy your ability to properly remediate the findings. And finally, don’t be afraid to ask to speak to a security engineer and dive deep in questioning their methodologies and experience with the type of testing you need. A competent penetration testing provider will not shy away from such discussions and will welcome the opportunity to add value to your security program.

Rising Above The Minimum Cyber Security

Cyber Security Minimums Aren't Enough

Cyber attacks on the rise

With the end of each year there are blog posts and articles suggesting the next year will be worse than the previous when it comes to cyber security. Whether those predictions are true or not, one thing is sure – IT Security is a top concern for most network administrators – and it’s a concern that’s only likely to get bigger.

2016 saw a rise in ransomware and other malware attacks (FBI This Week – March 2016). We also saw insinuations of foreign governments leveraging their way into critical data (DNC & FDIC were two stories of 2016 that suspected international hacking as the culprit) .

Companies large and small alike were crippled by cyber attack.

What’s at risk

A successful cyber attack can not only damage a company but also could impact business continuity to such a point that the business could not recover. There are ancillary impacts to be considered aside from the critical loss or compromise of data – down time, recovery cost, reputation damage, fees for providing identity theft protection for customers, and possible litigations are just a handful of hurtles an attacked company can face.

PCI & HIPAA regulations

PCI and HIPAA are minimum requirements for cyber securityMany companies and organizations look to guidelines such as PCI and HIPAA as a security framework, but the reality is these guidelines are best considered as a baseline and the MINIMUM a company should be doing. The proactive company is looking for strategies to safeguard their networks, apps, and APIs with as much fortitude as possible.

Operationally, this translates to running in-house scans, delivering constant awareness training, and consistently leveraging the value of penetration tests. The responsible company is also hiring outside experts to attempt network, physical and social penetrations in addition to the in-house testing. The goal should be to ascertain exposures and remediate them to drive the improvement of the organization’s security posture.

The cyber security risks are real

Even with the best of intentions, shortfalls occur. Systems don’t always get patched and are often prone to insecure configurations. With the rise of social engineering as an attack vector, employees are often the weakest link (unintended of course).

Threats are limited only by an attacker’s creativity, and it is impossible to predict all threat vectors. A realistic attack by a skilled adversary is the best way to understand the mindset of the attacker and gain an understanding of how your systems may be vulnerable to compromise.
Nothing beats an outside set of eyes testing your defenses.

Cyber attacks are on the rise, and companies have never had more to lose. With so much on the line, now is not the time to be looking at average security measures. What steps will you take in 2017 to improve your security posture?

Public USB Charging Ports & Their Potential Security Risks

Public USB Charging ports – Are they safe?

How many times have we found ourselves with a nearly depleted mobile device and no charger cable? Despite the array of adapters and cables that are available, on occasion we are found without our charge cable and a nearly dead phone or tablet battery. Increasingly, public locations are providing native USB convenience charging stations for the modern day smart device. It’s a common oversight to plug our devices into these public charging outlets without considering the risks in doing so.

What have you done??

Honestly, odds are, you’re simply charging your phone as expected. But the truth is you just don’t know. This is due to the nature of the USB interface and the fact that it has the capability to transmit both power and data.

Public_Charging_StationCharging ports that seem innocent enough can be a hot bed of disaster waiting to happen. By exploiting the USB data connection to your device, malware can easily be transferred onto your device revealing critical information to a malicious actor. You would likely never even know.

That charging device might not have even been placed by the establishment that you assume has placed it. A bad actor could simply drop the device in a public area waiting for the unassuming person to walk by and plug in their device.

The reality is that most charging ports are legitimate and pose no real threat, but you also never know for sure.

Here are some suggestions to keep yourself safe while using a public charging station:

  • Do Not plug your device’s USB cable into an untrusted USB port, such as those commonly found on public charging stations.
  • Always carry your own charging cable and wall adapter with you.
  • If you use a public station, practice situational awareness and assess the threat level of interfacing with the charging station.
  • When you plug your device in, never agree to trust the source or allow it any type of control on your phone. These functions vary by device type and model.

The Threat of Malware

The installation of malware is a key way to gain unauthorized privileges on a device. Be it a charging port, a free or found USB drive, a link in an email, or a malicious website. Cyber criminals are getting increasingly savvy in their attack vectors. This means you must be even more diligent than ever before to protect yourself from this emerging threat.

DameWare Mini Remote Control Pre-Authentication Username Remote Overflow

We ran into a very old version of Windows running Dameware Mini Remote Control v4.x that was vulnerable to the Username buffer overflow.  We found this particular exploit code on yet we never found (reliable) compiled code for it.  We ended up compiling it ourselves, so I thought I’d post it in case it saves anyone some time.   I confirmed it executes fine on Windows 10.0.14393.  If someone decides to port this to Linux, please let me know. 😉

Happy exploiting!


MD5 ( = a5e552aa6d85b45263cd2269d33e6ed5

Dual LG 5K Monitors on the 2016 MacBook Pro

The new LG UltraFine 5K monitors with the USB-C/Thunderbolt 3 ports are simply amazing.  A perfect match for the 2016 MacBook Pro with TouchBar.

Unfortunately, I lost a little time trying to set them up as they had worked once using both of the ports on the right side of the MacBook Pro.  Then, one monitor stopped working.  It was always the 5K monitor that I plugged in second, leaving me with the use of only one monitor.  Even after a reboot, only one of the monitors would work.  I spent time on Google and Apple’s website trying to figure it out with zero luck, and then went on a tangent deleting plist files, clearing the PRAM, reseting the SMC, and trying to manually adjust monitor settings from the command line.  No, you don’t need any of that.

Dual LG UltraFine 5K on the 2016 MacBook Pro
Dual LG UltraFine 5K on the 2016 MacBook Pro

Even though it’s not all that related, I’m posting this on our information security blog with hopes that I save someone some trouble setting them up.  It’s really simple – there are two Thunderbolt 3 buses on the new MacBook Pro.  The two ports on the left create bus 0, and the two ports on the right create bus 1.  You can see the currently connected devices in the System Information utility.  Connect one of your 5K monitors to one bus, and the 2nd one to the other bus.  Problem solved.  For some reason I thought the port configuration was different, and I do think it would be nicer to have both bus 0 and 1 on each side of the machine so the cables would be more organized.  Oh well.

System Information reporting Thunderbolt 3 Bus connections
System Information reporting Thunderbolt 3 Bus connections

I still don’t know why both monitors worked on one bus before.  I didn’t use it that way very long, so I’m guessing it somehow was setup in 4K resolution.  The Mac Pro works the same way, there are actually three Thunderbolt 2 buses on the system.

In case anyone was wondering, I took the background images myself from Tortola and the Baths on a Canon 5D Mark III fitted with an L Series 28-135mm F/4 lens.  They look simply amazing in 5K.

Anyway, hopefully this helps someone!

Aerial Drones – A New Frontier for Hackers

Drones are the new frontier for hackers

Drones in the News

Drones have been a hot news topic for a number of years. Individuals and businesses alike are scrambling to leverage these digital devices for everything from aerial photography to package delivery. Their inexpensive cost makes them readily accessible, and the uses are virtually unlimited – even for the malicious actor.

Perhaps you saw in the news where a drone was used to get within range of a home and hack into the automation features to control the lights. While that stunt was simply annoying, it shines a spotlight (pun fully intended) on the bigger issue security professionals face when seeking to implement this new technology securely.

Aerial Hacking

Recently Raxis conducted a security assessment where we employed a drone to intercept aerial signals in transit between two locations. The drone was positioned in the line of sight of the transmission and intercepted the signal as it flew by.

The drone relayed the data to our security engineer on the ground and the captured data was reviewed for exploitable content.

Similarly, drones can be used for proximity attacks where they can get close enough to a target to intercept the radio signal. This information can be saved onboard or relayed to a remote location for analysis and use.

Drones can be readily equipped to receive and transmit data across a myriad of transports. This creates an interesting array of attack vectors for the creative hacker.

What Can You Do?

Drones offer an entirely new attack vector for hackers. As a security engineer, you need a comprehensive plan that incorporates drone-related threat profiles:

  • Establish a no-fly zone and prepare countermeasures for safely landing a rouge drone (where legally available).
  • Maintain vigilant surveillance of critical areas.
  • Ensure that all data is highly encrypted and that no plain text passwords or other information is being transmitted through the air.
  • If a drone is spotted, consider ceasing all data traffic until the drone is no longer a threat.

Beyond intercepting data, drones are employed for general surveillance with increasing frequency. An attacker preparing to infiltrate your physical property can gain a substantial amount of information by reviewing aerial footage obtained during overhead flights.

Drones can be small, quiet, and hard to detect. It’s possible a drone could surveille your property without attracting undue attention. Even if the device is noticed, it’s likely that employees would simply assume its presence is recreational without considering the security implications regarding such a device in proximity to a given facility.

Training and attentiveness are critical to maintaining a robust security posture against these aerial attacks. The old slogan from US Homeland Security, “If you see something, say something” applies here. Encourage your employees to report drone sightings and develop a legal and safe plan for handling drone flights in your area.

Above all else, realize that drone-based attacks can pose a significant threat to your security posture and should be managed accordingly.

Ransomware – What you can do to avoid being a victim

Ransomware is the hot topic today. Malicious actors infect your system with sinister code that hijacks your information. In its most pure form it encrypts your data and yanks it from within your very grasp. Leaving behind only a message – a ransom note. If you ever wish to see your precious data ever again, you will pay. If you don’t pay, your data will be deleted and you will find yourself in the unemployment line.

It’s the kind of thing that keeps business owners and managers up at night.

The question is – what do you do to guard against it? Once the ransom appears on your screen, you’re done. There are several steps you should be taking to safeguard against ransomware.

1. Prevention

The number one thing you should do to guard against ransomware is to seal up the cracks. Find a good penetration testing company and have your internal and external networks evaluated. The right penetration testing company is going to come in with no credentials and attempt to exploit every weakness your network has. Don’t confuse this with a vulnerability scan – a true penetration test (pen test) approaches your system just like a real hacker. A real person is working your network and looking for exploits.

Include social engineering (email phishing, vishing and spear phishing specifically) to your assessment. Ransomware often infiltrates your system by malicious code unintentionally installed by an employee. Using a found USB stick, visiting a malicious website, giving up credentials to an official sounding phone call, clicking a link in an email, etc. etc…. All of these are inadvertent ways an employee may infect their system.

The report and remediation recommendations you will get from a pen test are priceless for patching the holes in your security. Evaluate your pen test company carefully. Ask to see sample reports and determine the depth of analysis you will truly get. Do not be guided by price alone.

Along with assessing the network for vulnerabilities you should also consider a robust endpoint protection solution with an awareness of ransomware and zero-day vulnerabilities.

Patching as a component of a comprehensive vulnerability management program should also be considered as a foundational element in any ransomware mitigation strategy.

2. Anticipation

Remember the saying – “failing to plan is planning to fail”. Ransomware is becoming more and more prevalent. You need to know what data you have, where you have it, and when it was last backed up. A completely audited data system will be much easier to restore. This will also help you get a grip on what has been compromised.

3. Backup, Cloud backup and Services

Once the thief has your data, the jig is up. Your data is encrypted, and there is a ransom to get it back. You’re not going to hack the encryption. If you pay – you’ll usually get your data back (not to mention a target on your back). If you don’t pay – they delete the data and you’re likely out of business.

Once the attack happens you have three choices – pay the ransom, go out of business or restore from a backup.

You DO backup, right? Surprisingly many companies don’t, and the ones that do often don’t have good practices in place for consistency. It’s critical this backup be separate from your network. You have a few options with backups:

1 – Consistent internal backups to off-site drives isolated from the network.
2 – Cloud based backups

While many experts agree that ransomware has not yet made the leap to the cloud, the issue is getting the data back in time for a reasonable restore. Normal data transfers aren’t reasonable with typical large companies. There are services available that will overnight a hard drive to your door once you’ve been attacked.

4. Restoration Plan

You need a plan in place to restore the data once you get it. Regardless of how you choose to backup and restore – you need this plan. You will have to wipe the entire system and systematically restore it. You also need to keep in mind the data you are restoring has the same vulnerability that got you hacked in the first place. So a smart hacker is likely to get right back in – and the game of cat and mouse continues.

You can’t afford to keep playing the game. Restore the system and immediately get it assessed and patched. By now you should see why step 1 is so crucial to avoiding ransomware. You are also likely seeing why step 2 is important.

Ransomware is here to stay for a while. It’s the new age stagecoach heist. The hi-tech way of bank robbery. Your best defense is a strong offense, good preparation and a plan for business continuity if and when it happens to you.

The Weakest Link in the Password Hash

Your password is strong – but is everyone else’s?

We spend considerable time trying to make sure our passwords are strong. But we also need to spend time educating our user base on why password strength is important.

It is not uncommon for a hacker to establish his foothold in an environment by first compromising a weak or insecurely stored password. Once a base level of authenticated access is established, it becomes a matter of time before privilege escalation is achieved.

So, while your password might be a strong 16 character, alphanumeric with symbols stronghold, your administrative assistant might still be using s0ftc@t1 (which, by the way, would crumble under a modest brute-force attack in less than 48 hours) as hers. If we can get that weak password we can extrapolate from there and gain access to other accounts.

Important lessons to teach:

  • Use of symbols to recreate letters (i.e.: @ for a, ! for i, etc) is not that useful. Rule based brute-force attacks use dictionaries and account for common character substitution techniques.
  • Longer is better – an 8 character password is trivial for a skilled hacker regardless of it’s complexity. Currently, adding a single character and increasing the length to 9 characters, extends the time it takes to crack the password to a couple of months.
  • Use random letters and numbers.
  • Capital letters should be used along with non-capitals, but refrain from making the first character the capitalized letter (we expect that and hack for it).

Consider multiple roots

One trick is to use a 10 character base such as:


Now remember that (see next section for tips).

Now make it unique. By adding a “-” or a “+” or “_” and then a system identifier such as:

yyT73p@55c-dr0p (say, for Dropbox)

yyT73p@55c+f@cE (for Facebook)

yyT73p@55c_BoA (for Bank of America)

Now you have a super strong random root, followed by a symbol with a dictionary word including caps and symbols if you wish.

Using this formulaic approach it’s possible to take a 10 character root and create a different password by creating an easy to remember tag. Now your passwords are 14+ characters long and easy to remember.

Consider rhyme and pattern

One trick I use for remembering that root is putting it in a rhythm and rhyme pattern that makes sense to me. This was a trick taught to me by a security engineer years ago and it’s worked. In the case of : yyT73p@55c every third letter (and 4th at  the end) rhymes and I have a pace to it. Listen to how I say this password:

Different root for types of systems

Now. If you want to supercharge the geek (and help save your butt from mass hack password releases) consider having a small handful of root passwords. Perhaps one you use for social, one for finance, and one for work.

Using that approach still only requires you to remember 3 base passwords, but, in doing so, you’ve strengthened your password repertoire considerably.

Change the root

Regardless of the strength of our passwords it’s still best practice to change them frequently. Using the root system all you need to do is periodically change the root and you’ve reset any exposure to compromise you may have had.


If you really care about security for a specific site (say, your bank), use a unique username. It doesn’t have to be crazy. If you tend to use “sally15” as your main username try using your last name “sanders15” for the bank. Use the same password root as above – but now you’ve got a unique username and a unique password that is associated with that one service.

The Struggle is Real

Getting your employees to use strong passwords is an uphill battle, but it’s a critical one. Remember – we are looking for the weakest link. Once we get a toe in the door it’s usually all we need before we spread like cancer in your system.

By utilizing a simple system, such as the one suggested here, you can increase the chances of your employees maintaining difficult passwords and strengthening their online security.