The weekend I spent hacking my own computer

By Anthony Passalacqua, Risk Management Representative, TMLT

Every week, there seems to be a new story of an organization being hacked and their data compromised, resulting in lost income, reputation, and customers. Target, JPMorgan, Chase, Sony Pictures, T-Mobile/Experian, and Anthem are just a few examples of companies whose names are forever linked with cyber crime.

It got me wondering: Just how easy is it to hack into a computer or a network?

I thought I would conduct my own experiment. One Saturday, I tried to hack my own personal computer while measuring the time and costs it took to do so. To learn how to go about becoming a hacker, I went to one of my favorite resources: YouTube. I easily found and watched a “how to” guide to hacking personal computers.1 Shortly after watching the video, I went around my house to collect what I would need to conduct my experiment and found two recordable CDs and a 16 GB flash drive.

Password Reset program

First, I decided to start with something easy by downloading a password-reset program. A password-reset program is a tool used by system administrators or computer owners to recover a lost password. However, the program is often used by hackers to gain access to unencrypted hard drives.

I am going to be honest, I have a very slow Internet connection by today’s standards and it took about 1.5 hours for me download the program onto a CD. Most people could have downloaded the program in less than 5 minutes with the new data streaming speeds that are now available.

When my download was complete, I rebooted my computer and launched the password-reset program on my computer. I then followed the step-by-step instructions from the YouTube video and, within minutes, successfully deleted my password.

I logged on to the computer and was immediately blasted with alerts and warnings telling me that my computer had been hacked and to call customer service. I ran a quick anti-virus program, and my computer was returned to normal. I reset my password and decided to try something a little more involved—a brute force attack.

Brute force attacks and “rainbow tables”

A brute force attack (also known as brute force cracking) is pretty much what it’s name suggests—an application program that attempts all possible password combinations to crack a computer’s password or data encryption standard keys. TechTarget, an online technology marketing company, describes this trial and error method as “infallible, although time-consuming.”2

I decided this time to download a password cracking program called Ophcrack while I went out to run some errands; after all, it was going to take another 1.5 hours to download. I came back about 2 hours later and found that the program had been successfully burned to a CD. I ran the program, and it identified all of my computer’s accounts. However, it didn’t provide me with any account passwords.

Why? Because I didn’t include a “rainbow table.” At this point, I began to learn about rainbow tables and their importance to the password cracking process. A rainbow table is a tool often used by hackers to crunch through huge amounts of hashes in very little time. On the Ophcrack website, I found the tab to download rainbow tables. There are different tables to use, and each one is separated out by operating systems, language, length of password, and type of characters. Just seeing the variety of options and methods available to me, I started to realize that cracking a password is something of an art. The more information you have about the computer or account you are trying to crack allows you to make the best hypothesis necessary to speed up the process.

Launching the attack

I began to test my theory and downloaded my first rainbow table—one that corresponded with both the name of my wife’s computer’s operating system and with the low complexity of the current password (“password123”). I reran the program, and within 5 minutes it gave me passwords to both my operating system and my wife’s accounts. Believe it or not, I received absolutely no notification that my wife’s computer was hacked when I logged in. Since I was using my wife’s credentials, I also found that I had total access to her accounts—social media,, you name it.

I then changed the password to an even longer and more complex one and downloaded an additional, corresponding rainbow table with more complex characters. I discovered that the more complex the password, the longer it takes to break it. For example, it took only 5 minutes for the first table to crack the initial password and about 30 minutes for the second table.

I decided to run the experiment one last time with a third rainbow table and a new, stronger password with additional characters not covered in the downloaded tables. I reran all three rainbow tables which took about 2 hours, at which point my password was still not found. I realized that my password no longer fit the parameters of the rainbow table and therefore could not be cracked.

Strong passwords

One of the biggest lessons of this exercise was the importance of a strong password to ensure your computer and accounts are safe. Many users don’t put a lot of effort into creating a strong password. They often cut corners because they are working quickly or want something easy to remember. But they often wind up creating shorter, weaker passwords that requires less time and resources for hackers to crack. One of the key features I noticed in this process was that using special characters in passwords (%, #, &, @) made it significantly more difficult for the programs to crack the passwords. This was especially obvious when compared to the relative ease of cracking passwords made up entirely of dictionary words and numbers. You should stay away from using any word found in a dictionary when creating a password. Dictionary words are a known variable to password cracking programs and hackers.

Another key discovery: if you can create a strong password that exceeds 8 characters and uses special characters, then most rainbow tables would not find the password. Another factor to consider is that if you are using an older computer or system, your encryption may be outdated and is more vulnerable to being hacked. If you are unsure if your password is strong or not, please review one of our previous blog posts on passwords.

Lessons learned—and how TMLT can help you stay safe

It only cost me $10.48 to hack my computer. I was able to find a 50 pack of CD-Rs for $5.49 (about 11 cents apiece) and a 16 GB flash drive to store my rainbow tables for $4.99 with the back to school sales. So, for about the cost of a fast food meal and roughly 6 hours of computer time, I was able to reset my password and hack into my computer.

It was an eye-opening journey to see just how easy and affordable it is to access private, sensitive information found on a hacked computer. It also reinforced to me the importance of strong cyber security which includes keeping my computer updated with the most current patches as well as reassessing my operating systems every few years. I plan on remaining vigilant in safeguarding my computer and its contents going forward.

To help you keep your computer and network safe, TMLT’s Product Development & Consulting Services Department offers a range of cyber security services, such as risk assessments, security training for you or your staff; and such resources as our TMLT Privacy and Security Toolkit. More information is found on the TMLT website.

You may also view or download the TMLT Slideshare presentation, “What every physician needs to know: cyber security best practices” with quick tips and advice on maintaining your software, managing your passwords, guarding against malware, and more.

If you are curious about a technological subject or have any questions, comments, or ideas for a future blog story, please let me know.


1 Gordon, W. How to Break Into a Windows PC (and Prevent It from Happening to You), Lifehacker website. Accessed August 24, 2015. (This video is also found on YouTube.)

2 Brute force cracking definition. TechTarget website. Accessed 10/12/15.

Anthony Passalacqua can be reached at

Policyholders to save $13.5 million with dividends

Recently, the Board of Governors of Texas Medical Liability Trust (TMLT) approved a 10% dividend for policyholders who renew in 2016. The dividend will save them approximately $13.5 million in 2016 premium. This is the eleventh time TMLT has declared a dividend, saving policyholders approximately $268 million since 2005.

Texas physicians interested in applying for TMLT coverage or learning how this dividend will benefit them can email or call the sales department at 800-580-8658, extension 8603. Current policyholders will receive detailed information about the dividend before their policy renews.

As the leading medical professional liability provider in Texas, the Trust offers its policyholders a strong defense at a low premium. Benefits also include:

  • $165 million dedicated to the Trust Rewards program, a financial reward program that sets aside funds for policyholders at retirement;
  • Medefense coverage for regulatory or administrative actions;
  • cyber liability coverage for network security or privacy-related claims; and
  • discounts for completion of risk management activities.

“Now in its eleventh year, the dividend program shows TMLT’s commitment to Texas physicians. We stand by our policyholders and provide them with more benefits than any other company,” says TMLT President and Chief Executive Officer Robert Donohoe.

TMLT — now bigger than Texas

TMLT announces launch of Lone Star Alliance

Texas Medical Liability Trust is proud to announce the launch of Lone Star Alliance, Inc., a Risk Retention Group established to provide medical liability coverage to physicians, groups, health care facilities, and allied health care professionals in multiple states.

Operated by TMLT, Lone Star can accommodate the needs of new and existing policyholders by offering TMLT’s coverage and service to those working outside of Texas. With Lone Star, TMLT can also cover physicians who leave Texas to work in another state.

Lone Star was started in 2013 when TMLT began exploring how to extend coverage to its Texas-based policyholders who were also practicing in other states.

As sponsor and program manager of Lone Star, TMLT provides all essential operational support, such as financial and accounting services, information technology, underwriting, sales, marketing, claims handling, and risk management functions.

“The launch of Lone Star Alliance is an important milestone in the growth of TMLT. With Lone Star, we are no longer bound by state lines. More importantly, neither are our physicians,” says Robert Donohoe, President and CEO of TMLT. “Current policyholders in Texas can now practice anywhere in the United States, and still receive the same strong, flexible coverage and winning defense they have come to expect from TMLT.”

More information about Lone Star Alliance, including FAQs, is found here.

(left to right) TMLT Sr. Vice President, Claim Operation, Jill McLain, Senator John Cornyn, TMLT President & CEO Robert Donohoe

U.S. Senator John Cornyn receives Soaring Eagle Award

U.S. Senator John Cornyn has received the Soaring Eagle Award from the Texas Alliance for Patient Access, TMLT, and the Texas Medical Association for playing a vital role in making sure that critically important standard of care protection language remained a part of the SGR “doc fix” bill, House Resolution 2.

The legislation passed the Senate on April 14, 2015, and was signed into law by President Obama on April 21. The standard of care language protects state liability tort laws, including Texas’ landmark reforms of 2003. It also ensures that federal health care standards cannot be used to establish legal action against health care providers.

Thank you Senator Cornyn, for your outstanding work on behalf of Texans and all Americans.

Syphilis testing required for pregnant women in Texas

In 2015, the Texas Legislature passed Senate Bill 1128 revising Texas law to require that every pregnant woman be tested for syphilis at her first prenatal visit and at the third trimester, no earlier than 28 weeks gestation. (1) This law takes effect September 1, 2015.

The Centers for Disease Control and Prevention (CDC) recommend the third trimester test should occur between 28-32 weeks gestation, ensuring timely treatment of the mother and fetus. Although not required by law, the Texas Department of State Health Services (DSHS) recommends testing for syphilis at delivery for women who:

  • Live in a high-morbidity area (rates of primary and secondary syphilis of 2.0 per 100,000 or higher);
  • Have no evidence of prior testing;
  • Are uninsured or low income;
  • Are diagnosed with a STD during pregnancy; and/or
  • Exchange sex for money and/or drugs.

If the serologic status of the mother is not known, serologic status of the newborn must be determined less than two hours post-delivery. Any woman who delivers a stillborn infant after 20 weeks gestation should be tested for syphilis. Infants should not be discharged from the hospital unless the syphilis serologic status of the mother has been determined either during pregnancy or at delivery. (2)

All infants born to women with reactive serologic tests for syphilis should be examined thoroughly for evidence of congenital syphilis (e.g., non-immune hydrops, jaundice, hepatosplenomegaly, rhinitis, skin rash, and pseudoparalysis of an extremity). (3)

For more information, please see the DSHS website.



  1. Texas Health and Safety Code 81.090. Accessed August 25 2015.
  2. Centers for Disease Control and Prevention. Accessed August 25, 2015
  3. Centers for Disease Control and Prevention. Accessed August 25, 2015.