Skip to content
The top easy-to-crack, football-inspired password in a database of 1 billion unique, clear-text, breached passwords? You probably guessed it: “Football.”
The European Soccer Championship is creating maximum football fever, which has led to easy-to-crack passwords. E.g., say, “football.”
That password is of course easy to crack via a dictionary attack – a type of brute-force attack that involves trying thousands of random words as passwords, using sources like every word in Wikipedia’s databases or all of the words from the Project Gutenberg free eBook collection, all of which showed up in the “RockYou2021” word list released to a hacker forum earlier this month.
8.4 billion Entries
Not all of the 8.4 billion entries in the 100Gb Rock You 2021 list were breached passwords, Have I Been Pwned creator & maintainer Troy Hunt pointed out at the time, but they’re still useful for cracking.
“This list is about 14x larger than what’s in Pwned Passwords because the vast, vast majority of it isn’t passwords,” he tweeted. “Word lists used for cracking passwords, sure, but not real-world passwords, so they won’t be going into @haveibeenpwned.”
Football Championship
Beyond dictionary attacks, it is simpler still to crack a password such as “football” with just a little knowledge about human nature & current events. Unless you are not a sports fan, you will know that the UEFA European Football Championship is in full swing right across Europe.
It was rescheduled from last summer due to the pandemic, so this year’s return to the fields is a welcome return for football fans to cheer on their teams.
Football-Related Passwords – An Own-Goal
Fans are also using the occasion to be inspired to create weak passwords. The worst of the football-inspired weak passwords is that word “football”:
It occurs 353,993 times in the database of 1 billion unique, clear-text, breached passwords maintained by authentication firm Authlogics. In that database, there are “well over 1 million associated with football,” the company said on Wed.
Examples:
| Top 5 football terms | Number of occurrences |
| Football | 353,993 |
| Liverpool | 215,842 |
| Chelsea | 172,727 |
| Arsenal | 151,936 |
| Barcelona | 131,090 |
| Total | 1,136,155 |
Malicious ‘Players’
As Hunt has said in the past, the main issue behind insecure passwords stems from human nature: People who need to create passwords often find the path of least resistance, which leads to passwords that they’ll remember but that are insecure.
That may include a name of a pet or birthday, which malicious players can easily find via a quick online search, given that personally identifiable information (PII), pet names & birthdays are often shared freely on social media.
The huge number of football-associated passwords poses an “obvious problem,” Authlogics’ Kate Wotherspoon wrote in the report. “These breached passwords are obviously insecure due to the breach itself, but they also speak to serious problems for other accounts owned by the compromised individuals.”
Same Password
She pointed to Google research showing that 52% of people reuse the same password for multiple but not all accounts, only 33% use a different password for all accounts & 13% reuse the same password for all their accounts.
“If your password has been breached on one account, & you are one of the 52% of people who reuse their passwords regularly, you might find other accounts which were not breached also compromised,” Authlogics warned.
Password Problem
This “obvious problem” has plagued the security industry for years. Poor password hygiene includes password reuse, picking easy-to-guess passwords, or simply by leaving a password to get too old.
It took only one dusty, no-longer-used password for the Dark Side cyber-criminals to breach the network of Colonial Pipeline Co. last month, resulting in a ransomware attack that caused significant disruption & remains under investigation by the US govt. & cyber-security experts.
Although it’s not clear how the attackers got their hands on the password in the 1st place, it can be assumed it can’t have been too difficult, given that the VPN password they used for the US Colonial attack showed up in a batch of compromised passwords on the Dark Web, states Bloomberg.
Stolen Credentials
According to the Verizon 2021 Data Breach Investigations Report, stolen credentials are the primary means by which a bad player enters an organisation, with 61% of breaches attributed to them.
Privileged credentials open many doors, including too much confidential information that can be used for ransomware or double extortion attacks, where attackers not only paralyse networks, but also threaten to publish victims’ compromised data in order to up the pressure to pay the ransom.
How About ‘Football&^#)479!’
For those who cannot resist using football terms in their passwords, Authlogic passed on these tips to make their passwords stronger:
- Replace the password with a pattern. As opposed to using a word, which is easily recognisable & easily stolen, use a code or pattern formed out of letters or numbers which is unique to you.
- Use a variety of different symbols: A combination of letters (some upper case & some lower), numbers & symbols…This is particularly important if you are insistent on having your favourite football team in your password.
- Try your absolute best to not reuse passwords. While this might mean you need to remember more passwords (or use a password manager) it goes a long way to limiting the damage should one of your accounts become breached.
Passwordless
People hear these words of advice all the time. They already know that password reuse is dangerous, too, but they still do it. If the future of authentication is passwordless, it can’t come soon enough.
https://www.cybernewsgroup.co.uk/virtual-conference-june-2021/
