March Madness and Spring Training underway. NFL draft and NBA playoffs soon to come. Your users may be even more tempted than ever to create some of these bad sports-related passwords

Sara Peters, Senior Editor

March 23, 2015

3 Min Read

To be a sports fan is to know pain. Yet no matter how terrible your favorite team's record is that season, attackers will have no mercy on those who use that team's name, in all lowercase letters, as their password. 

New information from Splash Data shows that the 25 most common sports-themed passwords -- the ones hackers will be most likely to try in a brute force attack -- bear no relation to the recent success of the team.

The top two passwords, "baseball," and "football," made it onto Splash Data's top 10 most common passwords list (numbers 8 and 10, respectively) earlier this year. The full 25 are:

1.    baseball
2.    football
3.    hockey
4.    jordan
5.    soccer
6.    yankees
7.    jordan23
8.    eagles
9.    golfer
10.  steelers
11.  rangers
12.  lakers
13.  arsenal
14.  cowboys
15.  tigers
16.  tennis
17.  nascar
18.  raiders
19.  angels
20.  redsox
21.  packers
22.  giants
23.  redskins
24.  gators
25.  dolphins

There are some tempting ways to interpret these figures, which in no way reflect the biases of this author (in other words, which in every way reflect the biases of this author). For example, that basketball fans are generally quite intelligent about their password selection practices, with the exception of those foolish Los Angeles Lakers fans ("lakers"). And that New York Yankees fans ("yankees") are by far the most feeble-minded password creators in the baseball world. Yet, being a sports fan with an illogical loathing for the Lakers and Yankees, this author would say something like that, wouldn't she?

A fairer way to interpret it: the wider the fan base, the more common the password, the more likely the target. There are a few other things worth noting in this data, too.

Although baseball, soccer, hockey, and basketball teams do appear on the top 25, the names of NFL teams show up most often ("eagles," "steelers," "cowboys," "raiders," "packers," "giants," "redskins," "dolphins"). So if you know you work in an office full of football fans, urge them to enhance their passwords (especially if the local team is in the NFC East division).  

Also worth noting is that the adoration of basketball hero Michael Jordan ("jordan," "jordan23") endures, 12 years after he retired from playing basketball (for the third time). 

While "baseball," "football," "hockey," "soccer," "nascar," "tennis," and "golfer" all appear in the top 25, "basketball" does not -- possibly because the word surpasses the character limit of some password systems.

[Everything you need to know about today’s IT security challenges – but were afraid to ask. Register with Discount Code DRBLOG to save $100 for this special one-day event, Dark Reading's Cyber Security Crash Course at Interop on Wednesday, April 29.]

The most glaringly obvious characteristic of these passwords, of course, is that, with the exception of "jordan23," they are all lowercase letters, with no capitals, numerals, or special characters. This is not a problem that can be blamed solely on end users; the sites and services that accept these passwords are just as at fault.

“Being a super fan of any team or athlete doesn’t mean you should put your identity at risk with easily guessable passwords,” said Morgan Slain, CEO of SplashData. “It’s okay to use your favorite team as part of a password, but you should try to make it unique by adding spaces or other characters plus numbers or other words to make the password harder to crack.”

So, as the NCAA basketball tournament goes on, if the Kentucky, Duke, or Gonzaga fans in your user base are inspired to show their school spirit when choosing passwords, encourage them to at least throw some numerals, capital letters, and special characters in. At least try for something as complicated as "W!1dcats" "J@hl!l0ka4," or "G0Zag$Go." 

About the Author(s)

Sara Peters

Senior Editor

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad of other topics. She authored the 2009 CSI Computer Crime and Security Survey and founded the CSI Working Group on Web Security Research Law -- a collaborative project that investigated the dichotomy between laws regulating software vulnerability disclosure and those regulating Web vulnerability disclosure.


Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights