With the 2022 Qatar World Cup now underway, Specops Software has released its findings that observed the commonality of passwords that contained a likely player, country or World Cup-related term within a password.
According to the research by Specops, which analysed over 800 million compromised passwords (a subset of a larger list included within its Breached Password Protection list of over 3 billion passwords), it was found ‘Kane’, possibly in reference to England forward Harry Kane, was third in the list of most popular names. In total, Kane appeared within breached password lists over 133,000 times.
Digging deeper into the most common names listed, Specops found the top 20 included Grzegorz ‘Lato’ (no.1), Thierry ‘Henry’ (no.5), ‘Pele’ (no.11), Bobby ‘Moore’ (no.13), Lionel ‘Messi’ (no.14) and Ronaldo’ (no.18).
While it is impossible to know the reason behind a password choice, there’s a high probability that the user has intent to base it on someone or something memorable e.g., a famous footballer or their favourite team.
Further analysis from Specops was conducted on which countries that qualified for the 2022 World Cup appeared in the breached password database and found the ‘USA’ at the top, appearing over 1.3 million times.
This was followed by ‘Iran’ and ‘France’ in second and third places respectively, with ‘Japan’ and ‘Canada rounding the top 5. ‘England’ featured in ninth place with slightly more than 20,300 appearances.
‘Soccer’ topped the most breached password lists in the other-football related category. ‘Soccer’ made over 140,000 appearances, surpassing the other top three terms ‘football’ and ‘FIFA’ combined.
Most eyes and ears will be glued to the 2022 World Cup for the next four weeks with the event likely to dominate headlines. However, because of this, hackers will use the opportunity to target unsuspecting victims. The same can be said for other professional sporting events and even superhero premiers.
Using commonly known terms or phrases for passwords is seen as low hanging fruit for cybercriminals, as the passwords frequently appear on leaked lists on the dark web and are then used in attacks in order to gain unauthorised access to user accounts and networks.
Speaking about the findings, Darren James, Technical Lead at Specops Software said that users should consider tougher passwords to prevent their data being breached, while also avoiding using sports teams.
“Once again, we see users scoring an own goal when it comes to making password decisions,” James said. “As passwords form at least one factor, or provide a “fallback”, in most MFA solutions, we recommend switching to a long and strong passphrase wherever possible.
“Weak or easily guessable words, such a local or popular sports teams, that might be followed by users in your organisation, can be tackled by blocking them within a password dictionary.”