To be a sports fan is to know pain. Yet no matter how terrible your favorite team's record is that season, attackers will have no mercy on those who use that team's name, in all lowercase letters, as their password.
New information from Splash Data shows that the 25 most common sports-themed passwords -- the ones hackers will be most likely to try in a brute force attack -- bear no relation to the recent success of the team.
The top two passwords, "baseball," and "football," made it onto Splash Data's top 10 most common passwords list (numbers 8 and 10, respectively) earlier this year. The full 25 are:
There are some tempting ways to interpret these figures, which in no way reflect the biases of this author (in other words, which in every way reflect the biases of this author). For example, that basketball fans are generally quite intelligent about their password selection practices, with the exception of those foolish Los Angeles Lakers fans ("lakers"). And that New York Yankees fans ("yankees") are by far the most feeble-minded password creators in the baseball world. Yet, being a sports fan with an illogical loathing for the Lakers and Yankees, this author would say something like that, wouldn't she?
A fairer way to interpret it: the wider the fan base, the more common the password, the more likely the target. There are a few other things worth noting in this data, too.
Although baseball, soccer, hockey, and basketball teams do appear on the top 25, the names of NFL teams show up most often ("eagles," "steelers," "cowboys," "raiders," "packers," "giants," "redskins," "dolphins"). So if you know you work in an office full of football fans, urge them to enhance their passwords (especially if the local team is in the NFC East division).
Also worth noting is that the adoration of basketball hero Michael Jordan ("jordan," "jordan23") endures, 12 years after he retired from playing basketball (for the third time).
While "baseball," "football," "hockey," "soccer," "nascar," "tennis," and "golfer" all appear in the top 25, "basketball" does not -- possibly because the word surpasses the character limit of some password systems.
[Everything you need to know about today’s IT security challenges – but were afraid to ask. Register with Discount Code DRBLOG to save $100 for this special one-day event, Dark Reading's Cyber Security Crash Course at Interop on Wednesday, April 29.]
The most glaringly obvious characteristic of these passwords, of course, is that, with the exception of "jordan23," they are all lowercase letters, with no capitals, numerals, or special characters. This is not a problem that can be blamed solely on end users; the sites and services that accept these passwords are just as at fault.
“Being a super fan of any team or athlete doesn’t mean you should put your identity at risk with easily guessable passwords,” said Morgan Slain, CEO of SplashData. “It’s okay to use your favorite team as part of a password, but you should try to make it unique by adding spaces or other characters plus numbers or other words to make the password harder to crack.”
So, as the NCAA basketball tournament goes on, if the Kentucky, Duke, or Gonzaga fans in your user base are inspired to show their school spirit when choosing passwords, encourage them to at least throw some numerals, capital letters, and special characters in. At least try for something as complicated as "W!1dcats" "[email protected]!l0ka4," or "G0Zag$Go."