Using Major League Baseball team names as passwords is a homerun for hackers
Mar 29, 2021 (Last updated on March 29, 2021)
The Cincinnati Reds, America’s oldest baseball team, may have one of Major League Baseball’s (MLB) worst pre-season odds to win the World Series, but the team sits alone in first place on Specops’ breached password list.
This is according to our new research, in advance of Opening Day 2021, which analyzed more than 800 million breached passwords (a subset of our larger list included with Specops Breached Password Protection of over 2 billion passwords) to determine the popularity of MLB team names and their mascots appearing on breached password lists. In total, our research found that ‘Cincinnati Reds’ appears within breached password lists almost 150,000 times.
The Los Angeles Angels, Tampa Bay Rays, New York Mets and Minnesota Twins round out the top five MLB teams identified in our analysis. In contrast, the Arizona Diamondbacks, Toronto Blue Jays and Oakland Athletics are the least likely MLB team names to be used in passwords, our research found.
The complete rankings:
- Cincinnati Reds
- Los Angeles Angels
- Tampa Bay Rays
- New York Mets
- Minnesota Twins
- Detroit Tigers
- Texas Rangers
- Chicago Cubs
- New York Yankees
- Boston Red Sox
- San Francisco Giants
- Pittsburgh Pirates
- Atlanta Braves
- Houston Astros
- Los Angeles Dodgers
- Kansas City Royals
- Cleveland Indians
- St. Louis Cardinals
- San Diego Padres
- Philadelphia Phillies
- Chicago White Sox
- Colorado Rockies
- Baltimore Orioles
- Miami Marlins
- Seattle Mariners
- Milwaukee Brewers
- Washington Nationals
- Oakland Athletics
- Toronto Blue Jays
- Arizona Diamondbacks
Hackers are opportunistic and known to take advantage of current events, such as the start of a professional sports season. Just a few weeks ago, we published a similar password study on the frequency of musicians and music groups tied to The Grammy’s.
What about the mascots?
For fun, we decided to research whether or not MLB team mascots also show up in our password list research. While we thought we might find an abundance of Phillie Phanatic, Billy the Marlin, Wally the Green Monster and Mr. and Mrs. Met, each of those famous mascots appeared less than 500 times, with Billy the Marlin only showing up once ( this makes sense when considering just how unpopular the Marlins are these days).
The most popular mascots found within breached password lists include Houston’s Orbit, Cincinnati’s Gapper, Detroit’s Paws, Toronto’s Ace, Colorado’s Dinger, Atlanta’s Blooper and Arizona’s Baxter. All of these team mascots appeared at least several thousand times.
The urgent need for stronger password management and authentication
There is perhaps no greater weakness to a company’s cybersecurity posture than employee passwords. While an increasing number of organizations are implementing password standards based on corporate security best practices or guidelines from organizations like NIST or CMMC, many companies continue to allow their workers to create passwords with only minimal parameters in place.
Take SolarWinds as an example: the company at the forefront of one of the biggest cybersecurity events in recent history was taken to task for using ‘solarwinds123’ as its backup server password. While it is believed that an intern, not a full-time employee, may have actually set this password and posted it on GitHub, the lesson learned is that password security must derive from the most senior levels of IT and security within an organization.
Social engineering and AI-driven ‘spray and pray’ attacks are escalating the frequency and sophistication of attempted credential theft, meaning its easier than ever for an attacker to obtain passwords for nefarious reasons. To help reduce risk, all companies, regardless of size or industry, should at the very least block weak passwords, create compliant password policies and target password entropy to enforce password length and complexity while blocking common character types at the beginning/end of passwords, as well as consecutively repeated characters.
Contact us today for more information about how Specops can help mitigate your organization's password-driven risks in Active Directory. In the meantime, let’s get ready for first pitch by making sure not to use a password that is too easy to guess or is readily found on a breached password list.