We all love to cheer on our favorite football team, especially as the Champions League is entering its 66e season. Unfortunately, this dedication can leave you vulnerable to cyberattacks as football fans in your organization choose passwords directly linked to their favorite club. Recent data from Specops Software shows the most common Champions League clubs found in broken passwords.
Hacked passwords: a major cybersecurity risk
Stolen credentials are responsible for 80% of hacking violations according to Verizon Data breach investigation report.
Large sets of data are easily accessible on the dark web, which hackers use for brute force attacks such as credential stuffing (association of broken usernames and passwords with a password process). login) and password spraying (using large lists of broken passwords or dictionaries to access by matching the password with a user account).
Not knowing if these passwords already exist and neglecting measures to prevent them from being created in your organization effectively leaves the doors open and puts you at high risk of becoming another statistic of data breaches at the hands of cybercriminals.
Champions League clubs in lists of broken passwords: the results
800 million compromised passwords from known sources and recent attacks were used in this analysis, a subset of Specops’ comprehensive database of over 2.5 billion passwords.
The results show that Italian club Milan come out on top, appearing more than 100,000 times, followed by Chelsea, Liverpool, Porto and French club Lille finishing the top 5.
Ranking of the most popular European clubs in the analysis of compromised passwords:
- real Madrid
- Manchester United
- Inter Milan
- Bayern Munich
- Manchester city
- Young Boys Bern
In addition to official club names, many of these clubs also have nicknames that resonate with their fans and expand the attack surface for system administrators to protect.
In this analysis, we find City at the top of the ranking with 225,000 mentions. Not far behind with 205,000, comes Paris Saint Germain, echoing the rivalry between the two clubs belonging to the United Arab Emirates and Qatar. Then, Liverpool and Chelsea followed by Bayern Munich, concluding the top 5.
Football clubs by their nickname:
- City (City of Manchester)
- PSG (Paris Saint-Germain)
- Reds (Liverpool)
- Blues (Chelsea)
- Bayern (Bayern Munich)
- La Dea (Atalanta)
- Indios (Atlético Madrid)
- Blancos (Real Madrid)
- Rossoneri (AC Milan)
- Blaugrana (Barcelona)
- Dragoes (Porto)
- Bianconeri (Juventus)
- Mastiffs (Lille)
- Nerazzurri (Intermilan)
- Wölfe (Wölfsbourg)
- Blauwzwart (Brugge)
- Red Devils (Manchester)
- Kara Kartallar (Beşiktaş)
- Godenzonen (Ajax Amsterdam)
- Submarino Armarillo (Villareal)
Take away food
Users have defined personal and memorable terms like football club names for their passwords since their inception, and it’s no surprise that this continues to this day.
Passwords won’t be going away anytime soon. As cyber attacks become more prevalent and sophisticated, ensuring confidence in your first line of defense to thwart them should be a priority in any organization’s cyber defense strategy.
We only have recently to look at the crippling impact of the attack on the US colonial pipeline due to compromised VPN passwords and the 500,000 leaked Fortinet VPN passwords now leaked on the dark web to see how how serious this threat is.
What to do next
Enforce a strong password policy.
The Active Directory password is the weakest link in a Windows network, and enforcing a strong password policy in your organization should be a multi-faceted approach.
Examine the length and complexity of the password, block common character types at the start and end, and automatically block consecutively repeated characters. To make it easier to create passwords, encourage users to create passphrases. To fix the problem of favorite football clubs showing up in passwords, you need to block compromised passwords through a service that is continually updated with broken passwords from live attacks. You should also create client password dictionaries to block common words relevant to your organization, such as name, location, services, acronyms, and other local sports teams.
Two-Factor Authentication (2FA) and Multi-Factor Authentication (MFA)
It’s a good idea to use two-factor authentication (2FA) as an additional layer of security, which provides that extra assurance that the user is who they say they are.
2FA, however, can still be exploited in sophisticated attacks and could become an obstacle, for example, if authentication is done through a mobile device that is not at hand.
MFA overcomes this limitation. It can be used to ensure that authentication is successful and it can further mitigate the risk of identity theft to strengthen the defense against attacks.
Find the hacked passwords used in your organization today
The HaveIBeenPwned (HIBP) service provides a valuable source of broken passwords, containing more than 613 million compromised passwords to date. Last updated in November 2020, the HIBP Database can be downloaded for free to research the use of broken passwords in your organization.
You can also use this popular free password auditing tool and automate the process, using an updated list of over 750 million compromised passwords. Then eliminate the need for manual effort and scripting and analyze your results in an interactive dashboard – you’ll be surprised at what you can find.