More Like This
-
Capability Overview
Cyber Resilience
-
Product / Service
Penetration Testing Services
Some of the most popular hashcat rule sets were created by taking a large pool of hashcat rules (copied from existing sets or randomly generated) with a popular dictionary list and tallying how many passwords each rule was responsible for recovering when applied to a collection of password hashes from public breach data. The individual rules that lead to the greatest number of recovered passwords are the “winners” and make it into a new rule list.
For example, the famous OneRuleToRuleThemAll rule set was created by measuring the performance of hundreds of thousands of different rules against the Lifeboat data dump with the iconic rockyou.txt dictionary. You can read about the methodology in detail here. The methodology itself seems sound, and the rule list became quite popular and successful. However, a couple observations make it clear that we can still do better.
With these observations in mind, we wanted to use a similar methodology to that of OneRuleToRuleThemAll to make new rule sets that are specially honed for cracking passwords that are known to comply with common password requirements. This work should accomplish three key goals.
The following sections describe the data, methodology, and results of this effort.
This section describes the data and defines some of the terms used in the methodology section.
This is a custom dictionary list that aims to improve on rockyou.txt without overinflating the size. It is composed of a deduplicated combination of the following lists.
The final size of super_dict.txt is 18,705,085 lines, which is only 30.4% bigger than rockyou.txt.
This is the candidate pool of existing rules from which the new rule sets were created. It is a deduplicated combination of the following rule sets, all of which are freely available on the internet.
The total rule count for super_rules.txt is 478,642 (by comparison, OneRuleToRuleThemAll has about 50,000).
One of the ways in which we aim to improve on OneRuleToRuleThemAll is by testing the performance of each rule against a much larger body of password hashes. Whereas the creators of OneRuleToRuleThemAll used the Lifeboat data dump as the hashes, we used a larger collection of password hashes numbering over 60 million from multiple sources, including HaveIBeenPwnd, Crackstation, and Hashmob.
The collection of public password data we used can be split into two categories: known plaintexts, and unknown hashes. The password data that was already in plaintext form was used to create rehashed subsets of the total collection based on conformity to the different password requirements we wanted to curate rule sets for. Specifically, the following hash lists were created:
“Complex” means containing at least 3 unique character classes out of lower-case letters, upper-case letters, numbers, and special characters (i.e., everything else). For simplicity, these are named, in order (with line counts in parentheses):
We will refer to the above hash lists collectively as “Per-Policy Hash Lists”.
The password data collected in the form of hashes, on the other hand, were kept as they are. These hash lists include (with line counts in parentheses):
These will be referred to simply as Lifeboat, LinkedIn, and NVIDIA, respectively.
We ran a series of hashcat sessions where we varied the dictionary, rules, hash list, and the loopback flag. The goal was to collect data that could measure the following:
The following lists summarize the experiment variables. Every permutation of the following variables was run, for a total of 88 hashcat sessions. The set of results from all hashcat sessions using rockyou.txt, OneRuleToRuleThemAll, and no loopback flag is the benchmark against which performance gains are measured.
Dictionary |
|
Rules |
|
--loopback |
|
Hash List |
|
In order to maintain consistency, collect relevant data, and keep the time requirements feasible, the following hashcat options were used:
Option | Parameter | Comment |
---|---|---|
-r | <path to rules> | The file containing the rules used to mangle the dictionary list. |
-m | <mode> | 0, 100, and 1000 for MD5, SHA1, and NTLM |
--status |
|
Print periodic status updates which are also written to a file with tee. |
-w3 |
|
Increase the work profile to dedicate a greater portion of the computer’s resources to hashcat. |
--loopback |
|
Appends recovered passwords to the working dictionary so they can be used to crack other passwords. |
--debug-mode=1 | 1 | Every time a new password is recovered, hashcat will log the rule that was used to crack it to the file specified with --debug-file. |
--debug-file | <path to logfile> | See --debug-mode |
-o | <path to output file> | Saves recovered passwords to a file as <hash>:<cleartext> |
--potfile-disable |
|
Prevents hashcat from using the potfile. This is critical to making sure the results from each hashcat session are not polluted by the results from a previous session. |
-O |
|
Optimize kernel. Limits hashcat to passwords under 32 characters in exchange for significant speed gains. |
Using the data from the debug files and the output files, we computed the top 50,000 rules that led to the most recovered passwords for each level of password requirements. These groups of 50,000 rules became the new rule sets. 50,000 was the chosen size for the new rule sets because it is a little smaller than OneRuleToRuleThemAll. However, we also created separate rule sets for the top 10,000, 1000, and 64 rules in each category. The scripts used to perform these calculations are included in our GitHub repo for reference. The new rules are named by the password requirements they are tailored for, along with the number of rules they contain. For example, 12-complex-50k.rule contains the top 50,000 rules for cracking passwords that are at least 12 characters long and contain at least three-character classes.
The resulting rule sets were then validated in another round of hashcat sessions against each hash list using both rockyou.txt and super_dict.txt. The loopback flag was omitted for the validation runs, and we only ran the validation sessions for the 50k rule sets since they are the ones designed to compete with OneRuleToRuleThemAll.
The new rule sets yielded modest increases to the number of passwords cracked in the test data, but we also tried them against two sets of password hashes from live environments as part of on-going penetration tests. The gains in recovered passwords in the live environments were surprisingly high.
This section also includes a table showing the increased rates of recovery from using the loopback flag and substituting super_dict.txt for rockyou.txt.
Tables A and B compare the performance of the new rule lists against OneRuleToRuleThemAll. Each row in Table A uses the new rule list that corresponds to the target hash list in the leftmost column for that row. For the first row, that would be 8-simple-50k.rule, and so on. In Table B, each entry is using OneRuleToRuleThemAll. An interesting observation here is that the performance gains of the new rule sets are more pronounced when the password requirements include multiple character classes ("complex").
Hash List | Number of Hashes | Total Guesses | Recovered Hashes | Percent Recovered (%) | Guessing Efficiency |
---|---|---|---|---|---|
8-simple | 61779922 | 9.33982E+11 | 37981488 | 61.47869206 | 4.06662E-05 |
8-complex | 9966491 | 9.33982E+11 | 5434359 | 54.52630219 | 5.81848E-06 |
10-simple | 31595857 | 9.33982E+11 | 14321202 | 45.3262021 | 1.53335E-05 |
10-complex | 4604400 | 9.33982E+11 | 2076155 | 45.09067414 | 2.22291E-06 |
12-simple | 16137745 | 9.33982E+11 | 4255194 | 26.36795909 | 4.55597E-06 |
12-complex | 1831483 | 9.33982E+11 | 634389 | 34.63799555 | 6.7923E-07 |
14-simple | 10664614 | 9.33982E+11 | 1363405 | 12.78438207 | 1.45978E-06 |
14-complex | 739210 | 3.92339E+11 | 189210 | 25.59624464 | 4.82262E-07 |
Table A: Policy-Based Rule List
Hash List | Number of Hashes | Total Guesses | Recovered Hashes | Percent Recovered (%) | Guessing Efficiency |
---|---|---|---|---|---|
8-simple | 61779922 | 9.72608E+11 | 37634232 | 60.91660653 | 3.87E-05 |
8-complex | 9966491 | 9.72608E+11 | 4941433 | 49.58046919 | 5.08E-06 |
10-simple | 31595857 | 9.72608E+11 | 13653850 | 43.21405177 | 1.40E-05 |
10-complex | 4604400 | 9.72608E+11 | 1842763 | 40.02178351 | 1.89E-06 |
12-simple | 16137745 | 9.72608E+11 | 3952870 | 24.49456228 | 4.06E-06 |
12-complex | 1831483 | 9.72608E+11 | 560374 | 30.596735 | 5.76E-07 |
14-simple | 10664614 | 9.72608E+11 | 1246590 | 11.68903066 | 1.28E-06 |
14-complex | 739210 | 9.72608E+11 | 173845 | 23.51767427 | 1.79E-07 |
Table B: OneRuleToRuleThemAll
In addition to validating these new rule sets against the test data, we also had to try them out on two live engagements. For one of these engagements, we were able to retrieve the password history for the whole domain. Both domains used password policies that required a minimum length of 8 characters and had the complexity flag set to true. Table C shows how the new 8-complex-50k rules compared to OneRuleToRuleThemAll when using super_dict.txt as the dictionary.
Hash List | Number of Hashes | Total Guesses* | Total Guesses** | Recovered Hashes* | Recovered Hashes** |
---|---|---|---|---|---|
Domain 1 | 2253 | 9.33982E+11 | 9.72608E+11 | 52 | 37 |
Domain 2 | 910 | 9.33982E+11 | 9.72608E+11 | 159 | 132 |
Domain 2 with History | 10865 | 9.33982E+11 | 9.72608E+11 | 593 | 2296 |
Table C: New 8-complex-50k rules compared to OneRuleToRuleThemAll when using super_dict.txt
*8-complex-50k
**OneRuleToRuleThemAll
The new rule sets post a substantial gain over OneRuleToRuleThemAll relative to the smaller overall number of passwords cracked in the live environments. On the other hand, the password history for the second domain resulted in dramatically better numbers for OneRuleToRuleThemAll—almost four times as many cracks. This most likely indicates that a large portion of the password history on this domain is older than the current password policy, which highlights an important observation. OneRuleToRuleThemAll appears to be better generalized against passwords that are not limited by length and complexity requirements. Another possible implication is that the process of honing a rule list to target a specific set of password requirements might prevent it from generalizing well against passwords with unknown properties.
For the secondary objectives of testing the performance gains of super_dict.txt over rockyou.txt and of using the loopback flag, refer to tables D and E. Table D shows the total percent of hashes cracked from the Lifeboat, LinkedIn, and NVIDIA lists using super_rules.txt.
Hash Set | rockyou.txt | super_dict.txt |
---|---|---|
Lifeboat | 72.42% | 73.82% |
63.98% | 65.71% | |
NVIDIA |
5.80% | 6.26% |
Table D: rockyou.txt vs super_dict.txt
Table E shows the increase in recovered passwords when using the loopback flag. These statistics are based on using super_dict.txt and super_rules.txt.
Hash Set | No Loopback | Loopback |
---|---|---|
Lifeboat | 73.82% | 79.05% |
65.71% | 67.41% | |
NVIDIA | 6.26% | 7.16% |
Table E: Non-Loopback vs Loopback
The performance gains from the loopback option and the super_dict.txt dictionary are modest, but not negligible. For hash types that are fast enough to be using rockyou.txt, the 30.4% increase in search space from using super_dict.txt might be worthwhile. We’d recommend hashcat users enable the loopback flag as well, because the increase to the search space is relatively small.
An accidental advantage of this project is that the rules themselves afford insight into the patterns that people gravitate towards when they must create passwords with minimum length and complexity requirements. The rule sets with the top 64 performers make an interesting case study into what patterns rise to the top and how they change depending on the password requirements.
The most obvious pattern that shows up at all password requirement levels is the use of 4-digit years, typically appended to the end of the password. In most cases, the four-digit year is appended directly to the end of the password with rules like “$2 $0 $1 $2”. Appending the year with an exclamation mark ($2 $0 $1 $2 $!) or an “@” symbol ($@ $2 $0 $1 $2) also appear to be common patterns but, more frequently, the year is instead combined with a permutation on the base word like truncation or capitalization. The following table shows some examples of how specific hashcat rules mangle affect their input.
Base Word | Rule | Output |
---|---|---|
password | $@ $2 $0 $1 $2 | password@2012 |
password | ] | passwor |
password | c | Password |
password | sa@ | p@ssword |
password | ^r ^e ^p ^u ^S | Superpassword |
By far the most common years that appeared in our hashcat rules were for the current year when the data breaches occurred. As a result, our top-64 rule sets ended up littered with years from 2002 to 2012. Since the underlying cause of those rules being in the top 64 is easy to understand, and since leaving them as-is would make the rule sets ineffective in the present day, we took the liberty of replacing these years by hand with contemporary ones in the 2022-2024 range. As a rule of thumb, 2010 and 2011 were mapped to 2022 and 2023, since those were the most common. Occurrences of other years were mapped to 2024. In some cases, there were too many different old dates in the top-64 sets to keep this mapping strategy perfectly, so some of the rules were brought up to date plus given one of the common additional mutations such as the “@” or the “!” symbols. While these substitutions were unavoidably the product of guesswork, the guiding principle was to represent the most current three years in all the common forms that the old years showed up—without duplicates. A more effective attack on 4-digit year patterns in passwords is an opportunity for future improvement, and a copy of the original top-64 lists is included in our GitHub repo for reference.
Another noticeable pattern in the top-64 rules is how the dominant patterns change as they increase in the length and complexity of the passwords. When the password requirement is a simple 8 character minimum, most of the rules are rotating or truncating a few characters and/or adding some simple numbers to the end. The 4-digit dates become very prevalent once the 12-character minimum is reached, and the rule lists for 14-character minimums have several rules that add longer numbers or prefix the password with phrases like "ilove" or "mynameis". One of the more surprising features of the 12- and 14-character complex requirements are rules like "c $@ $g $m $a $i $l $. $c $o $m" that strongly indicate many people simply use their email address as their password! Above all, the top-64 results are important to this study because the very fact that the lists change so much as you alter the password requirements provides strong evidence that refining hashcat rule selection based on password requirements is worthwhile. People do not choose passwords the same way when confronted with an 8-character minimum as they do with a 14-character minimum and a mandatory three character-classes. We can study these behaviors and we can target them. The small gains offered by this project in our first attempt at targeting password requirements are modest, but the results demonstrate that there is real potential here to advance the art of password cracking in modern environments.
Although this project was successful at a basic level in producing hashcat rule sets that outperform OneRuleToRuleThemAll when the target passwords adhere to a known set of length and complexity requirements, there are some obvious weaknesses that limit its overall impact. These caveats are worth discussing not only because they place due contextual limits on the rule sets we created, but they also illuminate opportunities to advance this kind of password cracking even further.
Each of the following items highlights a limitation of this project’s results and a corresponding opportunity for further work.
Minimum length and character class requirements are the de facto solution for forcing people to make more secure passwords. While such passwords are undeniably better than the ones created when there are no requirements, the optimal password requirements are still a subject of debate. Until password cracking (as it is practiced in the field) starts leaving behind its biases towards simple passwords from decade old data breaches, we are going to have a hard time properly stress-testing the current theories on password requirements. The rule sets we have created here are a first step towards adapting our password cracking tools to contemporary password environments. There is still a long way to go.
The new rule sets created during this project, as well as several scripts supporting the workflow used to create them, are available open source in our GitHub repo.
Capability Overview
Cyber Resilience
Product / Service
Penetration Testing Services
About Cyber Solutions:
Cyber security services are offered by Stroz Friedberg Inc., its subsidiaries and affiliates. Stroz Friedberg is part of Aon’s Cyber Solutions which offers holistic cyber risk management, unsurpassed investigative skills, and proprietary technologies to help clients uncover and quantify cyber risks, protect critical assets, and recover from cyber incidents.
General Disclaimer
This material has been prepared for informational purposes only and should not be relied on for any other purpose. You should consult with your own professional advisors or IT specialists before implementing any recommendation, following any of the steps or guidance provided herein. Although we endeavor to provide accurate and timely information and use sources that we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future.
Terms of Use
The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.
Our Better Being podcast series, hosted by Aon Chief Wellbeing Officer Rachel Fellowes, explores wellbeing strategies and resilience. This season we cover human sustainability, kindness in the workplace, how to measure wellbeing, managing grief and more.
Expert Views on Today's Risk Capital and Human Capital Issues
Expert Views on Today's Risk Capital and Human Capital Issues
Expert Views on Today's Risk Capital and Human Capital Issues
The construction industry is under pressure from interconnected risks and notable macroeconomic developments. Learn how your organization can benefit from construction insurance and risk management.
Stay in the loop on today's most pressing cyber security matters.
Our Cyber Resilience collection gives you access to Aon’s latest insights on the evolving landscape of cyber threats and risk mitigation measures. Reach out to our experts to discuss how to make the right decisions to strengthen your organization’s cyber resilience.
Our Employee Wellbeing collection gives you access to the latest insights from Aon's human capital team. You can also reach out to the team at any time for assistance with your employee wellbeing needs.
Explore Aon's latest environmental social and governance (ESG) insights.
Our Global Insurance Market Insights highlight insurance market trends across pricing, capacity, underwriting, limits, deductibles and coverages.
How do the top risks on business leaders’ minds differ by region and how can these risks be mitigated? Explore the regional results to learn more.
Our Human Capital Analytics collection gives you access to the latest insights from Aon's human capital team. Contact us to learn how Aon’s analytics capabilities helps organizations make better workforce decisions.
Explore our hand-picked insights for human resources professionals.
Our Workforce Collection provides access to the latest insights from Aon’s Human Capital team on topics ranging from health and benefits, retirement and talent practices. You can reach out to our team at any time to learn how we can help address emerging workforce challenges.
Our Mergers and Acquisitions (M&A) collection gives you access to the latest insights from Aon's thought leaders to help dealmakers make better decisions. Explore our latest insights and reach out to the team at any time for assistance with transaction challenges and opportunities.
How do businesses navigate their way through new forms of volatility and make decisions that protect and grow their organizations?
Our Parametric Insurance Collection provides ways your organization can benefit from this simple, straightforward and fast-paying risk transfer solution. Reach out to learn how we can help you make better decisions to manage your catastrophe exposures and near-term volatility.
Our Pay Transparency and Equity collection gives you access to the latest insights from Aon's human capital team on topics ranging from pay equity to diversity, equity and inclusion. Contact us to learn how we can help your organization address these issues.
Forecasters are predicting an extremely active 2024 Atlantic hurricane season. Take measures to build resilience to mitigate risk for hurricane-prone properties.
Our Technology Collection provides access to the latest insights from Aon's thought leaders on navigating the evolving risks and opportunities of technology. Reach out to the team to learn how we can help you use technology to make better decisions for the future.
Trade, technology, weather and workforce stability are the central forces in today’s risk landscape.
Our Trade Collection gives you access to the latest insights from Aon's thought leaders on navigating the evolving risks and opportunities for international business. Reach out to our team to understand how to make better decisions around macro trends and why they matter to businesses.
With a changing climate, organizations in all sectors will need to protect their people and physical assets, reduce their carbon footprint, and invest in new solutions to thrive. Our Weather Collection provides you with critical insights to be prepared.
Our Workforce Resilience collection gives you access to the latest insights from Aon's Human Capital team. You can reach out to the team at any time for questions about how we can assess gaps and help build a more resilience workforce.
Article 8 mins
U.S. freight and commuter rail industries are facing excess liability and property issues for different reasons. These railroads are critical to infrastructure and vital to the economy, yet finding effective solutions remains complex.
Article 11 mins
As private companies prepare for an IPO, they face increased risks that require directors and key leaders to adopt essential risk management strategies to ensure a smooth transition.
Article 10 mins
As climate change intensifies the frequency and severity of extreme weather events, public entities and businesses need more flexible funding solutions. Parametric stands out as an adaptable resource capable of swiftly responding to potential disasters.
Article 17 mins
Funding challenges due to macroeconomic factors have prevented several green and blue hydrogen projects from getting off the ground. Organizations facing hurdles in accessing capital can work with risk and insurance experts to expedite projects and help make the promise of hydrogen a reality.
Article 11 mins
Learn how strong human capital strategies can help recruit, retain and motivate vital talent in a competitive and evolving job market.
Article 7 mins
As corporate boards meet to discuss strategy, including any changes to executive compensation, there are key trends to consider for the year ahead.
Article 6 mins
Companies aiming to be a net-zero company may face many challenges during the biofuels transition. Read more on risk strategies to cut through complexity.
Article 6 mins
With DC schemes growing across Europe, many organizations are realizing the importance of ensuring strong performance from their investments. Here’s how asset owners and managers can optimize DC outcomes through the right investment strategy.
Article 9 mins
With no federal paid leave law in the U.S., employers have limited guidance in designing equitable and comprehensive paid leave programs to support their workforce. Looking beyond compliance to focus on strategy and values will help create fair and well-designed policies.
Article 8 mins
Risk managers are increasingly looking to Alternative Risk Transfer Solutions for potential enhancements in managing risk.
Article 8 mins
Amid economic uncertainty, companies are taking a careful approach to hiring and salary planning — one that includes focused hiring strategies, revising salary budgets and implementing measures that respond to the current economic environment.
Alert 7 mins
The current operating environment in the Middle East is increasingly complex and multifaceted, characterized by ongoing conflicts in Gaza, Israel, Lebanon and neighboring states, alongside significant changes in the business and insurance environment.
Article 8 mins
Hurricanes Helene and Milton insured loss estimates are expected to fall between $34 billion and $54 billion. Healthy, well-capitalized insurance and reinsurance markets are positioned to absorb those losses.
Article 17 mins
Buyer-friendly conditions continued across much of the global insurance market in Q3, painting a largely positive picture as we head into year-end renewals.
Article 10 mins
A successful M&A strategy relies on due diligence across financial, legal, human capital, technology, cyber security and intellectual property risks. As cyber threats become more complex, robust cyber due diligence in private equity and acquisitions is increasingly necessary.
Article 8 mins
Cargo theft in the transportation industry is escalating, driven by sophisticated criminal tactics that exploit both physical and digital vulnerabilities. Businesses must adopt proactive risk management strategies to counter these evolving threats.
Article 11 mins
Trade, technology, weather and the workforce are interconnected trends shaping the future of business in North America. Understanding them is key to long-term resilience.
Article 9 mins
Competition and capacity are dominating the cyber liability market and pricing remains favorable as a result. Taking advantage of the current buyer’s market to build sustained cyber resilience is the key to success.
Article 10 mins
The growing renewable energy sector is boosting M&A activity. Risk transfer solutions can help unlock capital access in these transactions.
Article 7 mins
Digitalization presents both opportunities and challenges in life sciences, driving new organizational approaches to human capital to keep up with evolving talent needs while building a resilient workforce.
Article 5 mins
As financial institutions reshape human capital strategies for the digital age, leaders face pressure to balance the risks and opportunities of digitalization.
Article 9 mins
Employers are concerned that previous wellbeing strategies aren’t moving the needle enough. But when wellbeing is part of an organization’s culture, it has positive effects on costs, engagement and productivity.
Article 6 mins
Financial institutions can increase their resilience to volatile threats through enhanced risk management frameworks and innovative models powered by people data and technology.
Article 10 mins
As the deadline for implementing the EU Pay Transparency Directive fast approaches, some financial institutions feel unprepared to comply. These five steps can help guide the way through the upcoming regulatory landscape.
Article 9 mins
Thriving organizations rely on thriving employees to succeed. With healthcare costs on the rise, it’s time for employers to challenge the status quo in providing health benefits. Organizations need to consider the human side of these increases and take bold action to achieve better outcomes.
Article 9 mins
The aviation industry is watching the rise in nuclear verdicts with concern as social inflation and associated risks continue to squeeze the sector. Organizations should review their risk management processes to limit the dollar value of future losses.
Article 12 mins
As AI evolves, directors and officers must maneuver through a complex landscape of regulatory and legal risks. Implementing best practices around the use of AI and robust governance-focused risk mitigation can help manage exposures.
Article 11 mins
Middle market organizations face unique challenges in the ever-changing cyber environment, requiring holistic insurance solutions and enhanced resilience readiness to manage risks that could impact profitability.
Article 17 mins
With life expectancies and retirement ages on the rise, organizations can capitalize on the value that older employees offer and support them by fostering a workplace where both the business and its people thrive.
Article 8 mins
As climate change compounds wildfire risk, organizations play a critical role in protecting their workforce before and after an event.
Article 10 mins
The transportation and logistics industry faces unique challenges which can negatively impact employees' health. A cultural shift to more tailored wellbeing strategies can improve health outcomes and boost company performance.
Article 8 mins
As workforce and skills shortages emerge as a significant future risk, companies seek winning talent and tech solutions.
Article 6 mins
Pooled employer plans (PEPs) can offer a streamlined solution to the retirement planning challenges inherent in spin-off and M&A events.
Article 20 mins
The role of HR professionals is becoming more strategic, which requires collaboration with other areas of an organization to help drive growth. Given that people and benefit costs are a large portion of business expenses, partnering with finance is a natural step forward.
Article 5 mins
Aon analyzes employee perception about return to office policies following the COVID-19 pandemic, as well as recent actions one organization took for alleged lack of remote employee productivity.
Article 11 mins
Despite subdued global M&A in 2023, positive trends have been emerging in the M&A insurance market to help clients improve their deal-making and ‘value-protection on investment’.
Article 7 mins
Graeme Hudson and Ghonche Alavi from Crisis24 discuss Crisis24’s approach to Political Evacuation and Threat Management with Cara LaTorre from the Financial Services Group at Aon.
Article 8 mins
European construction contractors are looking with increasing interest at Asia, but to expand successfully into the region, they need to overcome key workforce and market challenges.
Article 8 mins
As digitalization presents new risks and opportunities for life sciences organizations, implementing cyber and data resilience ensures that innovation doesn’t result in business interruption.
Article 7 mins
For insurers, making decisions on where and how to deploy capital becomes more difficult during times of volatility.
Article 6 mins
Employers in the U.S. should understand the unique risks associated with voluntary benefit captives when considering alternative insurance arrangements for their voluntary benefit plans.
Article 7 mins
Workers compensation is an area of risk management that could benefit from a more holistic approach. A safety program that incorporates wellbeing and uses data in a meaningful way can contribute greatly to lowering costs.
Article 8 mins
Firefighters face a unique set of risks and long-term health consequences from their jobs. Aon worked with Minnesota firefighters to create a benefit program to address three primary health issues.
Article 8 mins
Open legacy workers compensation claims place rising financial burdens on employers, who are faced with closing out aged claim inventory and improving their balance sheets in the process.
Article 5 mins
Organizations must consider the impact of climate change on property, which will vary now and years into the future. Therefore, a thoughtful approach can enhance risk mitigation and resilience strategies.
Article 9 mins
Helping midsize organizations strike the right balance between risk and compliance with a comprehensive regulatory and compliance framework.
Article 6 mins
As U.S. employers balance costs with providing employees more value from their benefits, creating an annual healthcare enrollment process that includes more choice and guidance can accomplish both goals.
Article 10 mins
With many insurers reporting healthy profits in 2023, and in response to notable improvements in the reinsurance market, the insurance market in Q2 2024 remained growth-oriented.
Alert 3 mins
On July 19, 2024, the CrowdStrike outage became one of the largest IT events in history, impacting businesses and customers around the world. Leaders now have an opportunity to reexamine technology dependencies and business continuity plans to mitigate similar risks in future.
Article 7 mins
Insurers are some of the world’s largest institutional investors. Recognising their crucial role in driving the global climate transition, they should identify and analyse climate-related risks and opportunities to improve long-term risk-adjusted returns.
Article 8 mins
The global CrowdStrike IT outage demonstrated that even non-malicious cyber incidents may have serious repercussions. Events like these serve as a wake-up call for businesses to review their cyber resilience and be prepared for more significant incidents in the future.
Article 7 mins
More global benefits professionals are aligning benefit strategy to an employer’s identity and values.
Alert 10 mins
CrowdStrike, a global cybersecurity firm, released an update for its Falcon sensor, which caused system crashes on Microsoft Windows systems globally.
Article 8 mins
Cyber incidents continue to grow in frequency and severity, especially as new technology emerges. While D&O and cyber liability policies offer distinct coverage differences, terms need to be carefully structured to avoid potential gaps.
Article 6 mins
Insurers are venturing into the thriving digital landscape of the Metaverse, covering virtual assets, safeguarding intellectual property, and protecting the wellbeing of users and avatars. With this evolution, comes new challenges and the unique opportunity to shape the future of insurance.
Article 10 mins
Record-warm Atlantic Ocean temperatures and a shift to La Niña conditions have led forecasters to predict an extremely active Atlantic hurricane season in 2024. Learn how to build business resilience to mitigate risk for hurricane-prone properties.
Alert 7 mins
The U.S. Supreme Court has changed the way laws are interpreted in the development of regulations. This change has the potential for far-reaching consequences for both regulatory agencies and employers.
Article 18 mins
For institutional investors, engaging an outsourced chief investment officer, or OCIO, is one of the most critical decisions an organization can make. Choosing the right partner can lead to achieving the desired results or unexpected consequences.
Article 4 mins
Overview of the current trade credit insurance market and outlook on trend developments.
Article 11 mins
The need to attract and retain high-quality talent in an environment of intense competition is at the forefront of professional services leaders’ minds.
Article 11 mins
Renewable energy is critical to meet net-zero targets, but as the industry grows, so do cyber attack surfaces. Learn how to prepare for emerging threats and support long-term ambitions.
Article 7 mins
As the scale and speed of interconnected risks escalate, innovative risk management strategies help FAB businesses build the resilience and agility needed to thrive.
Article 10 mins
The renewable energy sector is undergoing a sweeping transformation, as it plays a pivotal role in the challenge to achieve global net-zero goals. Attracting, upskilling and retaining talent is critical for sustainability.
Article 7 mins
Contractors in EMEA face an array of risks they must mitigate or transfer while managing the complexities inherent in major construction projects.
Article 12 mins
As more companies seek to reduce their carbon footprint, the renewable energy sector continues to grow, presenting both opportunities and red flags for organizations with renewable energy growth plans.
Article 6 mins
Proactive risk management and data-driven reshoring strategies can empower risk managers in logistics companies to navigate supply chain complexities with confidence.
Article 5 mins
As more companies become comfortable using captives and understanding the value they add, captives are likely to become further embedded into corporate risk strategies, regardless of market conditions.
Article 6 mins
Helping midsize organizations leverage key partnerships to address challenges around talent, market, regulatory compliance, and leveraging capital.
Article 12 mins
A rapid rise in medical plan costs is being driven in part by high-cost claimants — a high-risk group that disproportionately accounts for a large amount of healthcare costs. Here are strategies for addressing this issue.
Article 9 mins
Online benefits platforms are a key component of the overall employee value proposition. As employers maximize the ROI of their people spend, here are four tips which may assist with implementing a successful online benefits platform.
Article 8 mins
Efforts to bring more transparency to pay practices shine a light on benefits equity — and it’s not only about wages and salary.
Article 3 mins
The rapid pace of digitalisation means that organisations in the UK are constantly struggling with the ever-present threat of cyber attacks.
Article 2 mins
Equity has an important part to play in a balanced strategy to improve the attraction and retention of key employees.
Article 2 mins
How are business leaders adapting to a generational change in how work gets done?
Article 2 mins
Lori Goltermann, CEO of Regions and Enterprise Clients, Aon examines the main issues discussed at the event.
Article 2 mins
Our panel discussion looked at the issues facing corporate treasurers and how they have become more complex and interconnected.
Article 3 mins
Businesses are still in search of competition, alternatives and innovation in their insurance programmes.
Article 2 mins
Companies and financial sponsors are constantly seeking innovative and capital-efficient ways to facilitate M&A deals.
Article 2 mins
Professor Trevor Williams analyses the latest indicators and what they mean for the UK — and global — economy.
Article 2 mins
How Aon is moving further, faster to bring new, innovative solutions that address companies’ risk and people challenges.
Article 5 mins
Today's employers need to continually learn and adapt to emerging technologies and skills if they are to thrive in the talent landscape.
Article 3 mins
Companies that operate around the world need to have a global appreciation of the heightening geopolitical risk.
Article 6 mins
Collective retirement plans are growing in popularity and improving employees’ financial wellbeing in the process. Other advantages that haven’t been as widely explored include how these retirement structures allow HR to shift its focus to strategy.
Article 8 mins
Getting ahead of risk is vital for North American construction contractors, as they aim to manage evolving issues, while delivering job safety, solving workforce shortages and containing project costs.
Alert 6 mins
The Department of Labor released a final rule increasing overtime protections for the standard salary level threshold for the “white collar" exemptions and the threshold for employees classified as Highly Compensated Employees. Employers need to prepare for these significant changes.
Article 10 mins
Climate change adaptation and the transition to net zero present huge premium growth opportunities for insurers. The key question is how to get started.
Article 7 mins
As the cyber insurance landscape continues to evolve in EMEA, companies need actionable insights and solutions to strengthen their cyber risk strategies.
Article 9 mins
The challenges of 2023 eroded the buffers that many insurers had previously enjoyed, bringing an increased focus on capital management and a variety of capital sources according to Aon’s capital poll.
Report 18 mins
While advancements in AI, cyber and data technology are helping companies operating in an increasingly digital world gain a significant competitive edge, they also introduce new and evolving risks.
Article 6 mins
As healthcare costs rise, voluntary benefits are a critical component of engaging employees, while also helping to manage direct and indirect medical expenses. Here are three strategies for employers to make the most of their voluntary benefits.
Article 8 mins
The expansive scope, stringent sanctions and pivotal role of management related to the new NIS2 Directive provide a strong foundation to protect against evolving cyber risks.
Article 8 mins
The London insurance market seeks a generation of game-changers who can navigate uncertainties and drive innovation to ensure the industry’s future success in a digitalised world.
Article 3 mins
From global supply chain risks to climate insecurity, organizations face challenges and complexities on a scale rarely seen before.
Article 15 mins
Artificial intelligence is having a measurable impact across all aspects of HR — from talent management to compensation, health and benefits, and retirement planning. To effectively harness the technology, HR leaders must ensure both their own teams and the wider workforce are prepared.
Article 3 mins
Risk Capital CEO Andy Marcell and Human Capital CEO Lambros Lambrou discuss how innovations in Risk Capital and Human Capital can help organizations boost resilience and navigate volatility.
Report 15 mins
Global business leaders highlight risks linked to trade as some of their top concerns — both physical and financial. While the topic is complex and broad, there are opportunities that business leaders can pursue to stay ahead of emerging trade dynamics.
Report 16 mins
Extreme weather and a changing climate are impacting many of the risks businesses face today. To address future exposures, organizations will need advanced climate and natural catastrophe models and expertise that can assess chronic and acute risks.
Report 14 mins
Engaging a changing workforce requires data and innovation. Workers increasingly expect more than just a paycheck. In response, organizations are balancing costs with the ability to provide a compelling employee experience.
Case Study 3 mins
Aon partnered with UK financial advice firm M&G Wealth to help the firm better understand the make-up of a highly successful advisor of the future, including the skills needed given shifts in societal needs, technology and regulation.
Article 8 mins
Advanced analytics can empower organizations with deeper insights into the risks and opportunities surrounding renewables, while also supporting energy transition investment.
Article 17 mins
Positive performance in 2023 fueled insurer growth ambitions but underwriting remained disciplined in the first quarter of 2024.
Article 12 mins
While digitalization is delivering transformational change to R&D across the sector, it is also rapidly reshaping recruitment and retention strategies.
Alert 6 mins
The FTC has announced a rule that bans noncompetes and clauses that have a similar effect. While the rule will face legal challenges, employers should take steps now to prepare for an environment where they cannot use noncompete agreements.
Article 7 mins
Risk advisory services can help construction stakeholders navigate uncertainties, optimize performance and drive growth in their projects.
Article 9 mins
While there are similarities in the risk profile of floating offshore wind and bottom-fixed offshore wind, challenges like unproven technology and tow-to-port strategies for maintenance require a collaborative approach between owners/developers and their insurance partners.
Article 4 mins
Macrotrends are transforming our world and creating emerging property-casualty exposures, which will have profound implications for the insurance industry.
Article 7 mins
Understanding market trends and future projections in an evolving cyber insurance market is paramount to strengthening risk mitigation and transfer strategies.
Article 5 mins
In an era of escalating climate-related challenges, the construction industry is turning to advanced climate modeling to fortify its risk management strategies.
Article 14 mins
Advances in technology will not only transform healthcare and treatment outcomes — benefit offerings, access to care, diagnosis, treatment and affordability challenges will also be radically changed. Here is what to expect as these efforts take shape globally.
Article 10 mins
As healthcare costs continue to rise, employers are struggling to balance cost control with attracting and retaining talent. The results of Aon's 2024 U.S. Health Survey point to key strategies organizations are using to help.
Article 11 mins
As the world races to reduce climate risks and limit CO<sub>2</sub> emissions, the demand for scalable and cost-effective decarbonization technologies is increasing. Carbon capture projects form an important part of the low carbon energy transition, bringing both challenges and opportunities.
Article 7 mins
Growing extreme heat conditions have escalated risks, delays and costs for the construction industry in North America. Parametric insurance can help protect against such risks, offering contractors and building owners agility, efficiency and flexibility.
Article 9 mins
The launch of the Unified Patent Court allows for a new patent filing process across Europe using a centralized system. While this brings significant financial and operational benefits, navigating these changes will demand a robust litigation risk management strategy.
Article 8 mins
Construction projects in EMEA are often impacted by extreme heat, leading to project delays and increased costs. Many heat exposures are excluded by traditional markets, however, parametric is a flexible solution that can help mitigate these risks.
Article 12 mins
New regulations in the U.S. and Europe will require companies to be more transparent about their pay practices. Combined with willingness among workers to talk about salary, the era of pay transparency is here.
Article 11 mins
As companies tailor their health and benefits to meet the needs of their employees, vital areas for support include family building and menopause.
Article 7 mins
Complex market dynamics in the construction industry are pushing organizations to proactively explore alternative risk transfer solutions, including parametric insurance and captives.
Article 11 mins
As new job roles and technologies emerge in the natural resources industry, employee expectations are also shifting. Leaders must rise to the challenge of securing talent to meet the world’s future energy needs.
Article 5 mins
Rulemaking from the Securities and Exchange Commission (SEC) highlights the importance of company transparency with investors and regulators around risk management and the impact of cyber events.
Article 13 mins
Five ways financial institutions can balance investment with prudence in an uncertain economic climate.
Article 12 mins
An increasingly interconnected and complex risk landscape continues to shape risk strategies and market responses.
Article 13 mins
To be successful, business leaders must keep pace with the key trends that will impact the risk and insurance landscape in 2024.
Article 9 mins
Taking a new approach to talent management and planning for worker shortages can help businesses in the energy and power industries build greater operational resilience.
Article 8 mins
As organizations build diversity, equity, inclusion and belonging in the workplace, they must also ensure benefit plans are designed and customized to meet the needs of a diverse workforce.
Article 11 mins
For investors, climate change means navigating uncertainties and understanding a wide range of potential outcomes.
Article 8 mins
Extreme cold and freeze were responsible for $15 billion worth of structural damage in recent years, as well as business interruption and supply chain impacts. We explore the threat chronic hazards pose and consider the influence of climate change on business.
Article