Grimes was on a Saturday job installing accounting software when he found himself locked out of the client’s network: he did not have the admin password needed to uninstall legacy software and deploy the update. With no one answering work phones and a likely delay until the next weekend, he resorted to guessing — and ultimately typed a password lifted from a film plot. The string he entered, “rosebud,” worked.
Roger Grimes, KnowBe4, and a Saturday install
Grimes told the story as part of the PWNED weekly column, recounting a practical problem: the need to take a network offline for an update but lacking the admin credential necessary to proceed. He chose to perform the work on a weekend to avoid disturbing staff, but the timing left him unable to reach anyone by phone to obtain the password. Faced with a potential delay, he tried multiple passwords until one hit the mark.
Citizen Kane, “rosebud,” and a correct guess
The successful guess came after Grimes remembered the film Citizen Kane and typed the word “rosebud.” The anecdote underlines a familiar cinematic trope — on-screen hackers randomly attempting logins until they stumble on the right one — and in this instance the trope played out in real life. The column notes that it was fortunate the guess came from a legitimate contractor rather than a miscreant.
Password hygiene and specific alternatives offered in PWNED
The column uses the episode to illustrate concrete weaknesses: choosing a password from a well-known movie plotline and using a password without numbers, capital letters, or symbols. PWNED recommends stronger practices: generate a random string of letters and numbers for ordinary passwords and store them in a password manager. For the password manager itself, the piece suggests a passphrase that includes capital letters, symbols, and numbers — offering the example “Shoe-Please6-Wrapped-Carbon-Wear.” It also points readers to Keeper’s Passphrase Generator as a tool to produce random passphrases and recommends using a passphrase for admin passwords.
What this means for technologists, procurement leaders, and end users
- Technologists and security teams: ensure admin credentials are not derived from public cultural references and enforce complexity (capitals, symbols, numbers) or use generated random strings; consider requiring password managers for credential storage.
- Procurement leaders and affected enterprises: plan for contractor access during off-hours work — include validated credential handoff or emergency support so upgrades are not delayed by unanswered phones.
- End users and the general public: avoid picking passwords tied to well-known movies or other public facts; follow the column’s advice to use a password manager and a strong passphrase for the manager itself.
A final note from PWNED and how to share similar stories
PWNED invites readers to share stories of lax security at pwned@sitpub.com; anonymity is available upon request. The column’s brief aside also mentions the author had recently watched The Third Man, framing the piece as part anecdote, part cautionary note about convenience and laziness in credential choices.
It’s a simple episode with an immediate lesson: a single guess — “rosebud” — exposed an avoidable weakness. The column closes by steering readers toward concrete mitigations already named above, leaving the practical question to network owners and administrators: will admin passwords and access plans be changed before the next weekend’s work?
