Check out any list of common passwords and there is a common trend among the choices – sports teams.
As the pinnacle of the NFL season gets ready to commence, I was interested by a blog released this week by password manager provider Roboform which revealed the top NFL teams featured in passwords. Based on the release of ten million passwords, the data crunching revealed that the most popular gridiron team for a password was the Philadelphia Eagles, followed by the Dallas Cowboys, Pittsburgh Steelers and Oakland Raiders.
A nice smattering of teams from across the nation there, and the similar theme that these are teams that are relatively well established in the NFL and have not moved location recently. Yes I am old enough to remember the LA Raiders, and see that the Los Angeles teams Rams and Raiders come in 27th and 25th respectively.
In fact, those at the bottom of the list are those who are “newer” teams – the Houston Texans 32nd, behind the Arizona Cardinals and Wembley favorites the Jacksonville Jaguars.
Roboform highlighted that this year’s finalists the New England Patriots are clear winners over the Atlanta Falcons “when it comes to users expressing their fandom through their passwords.”
Also, according to an article determining the most popular teams in the league, the Eagles came in 28th place, while the “most popular” Green Bay Packers were the seventh most prominent in passwords.
Eagles fan and security consultant Tracy Maleeff from Sherpa Intelligence, who admitted to singing victory song “Fly Eagles Fly” on a loop while emailing Infosecurity, said that she was aware that this was a terrible list to be at the top of, but could not help but feel pride in seeing the Eagles as number one.
“Then, I remember that I’m supposed to be an information security professional and know that I have a lot of awareness work to do here in the Philadelphia area,” she said. “I have been guilty of this in the past, back before I knew better. Not personal accounts, but one specifically at a former place of employment which I know has since been changed. An assistant said to me ‘I always remember your password for [blank] because I just do the Eagles cheer in my head’. So, it’s easy to remember as well.”
Maleeff also said that Eagles fans are fiercely loyal, as multiple generations of families have experienced the joy and heartache of being an Eagles fan.
“You have hope every year that ‘this will be our year’, so it doesn’t surprise me that so many passwords reflect this in the Philly area. It’s like you type with purpose with hopes that it will unlock the Lombardi Trophy for Philadelphia.”
So as many people are vocal about which team they support (in any sport), I asked Lawrence Munro, senior director of SpiderLabs EMEA at Trustwave if it surprised him that people would use something so identifiable for something so secure?
He said: “Unfortunately it’s not at all surprising to find such easily identifiable password choices - we find most people pick a password based on how likely they are to remember it, rather than any consideration for security. Analysis of almost half a million passwords for the 2015 Trustwave Global Security Report found that the sophisticated choices of Password1, Welcome1 and P@ssword were the three most popular passwords.
“Anyone who loves the Philadelphia Eagles enough to use them as a password will also probably have them splashed all over their social media pages, providing a handy hint for any attacker who cares to look.”
Maleeff agreed that people want passwords that they can remember, but ones that also make them feel good. Munro concurred that it is common for people to pick passwords close to their hearts - baby names and US city names were the most common words Trustwave found being used in passwords. “With that in mind, it would make sense for teams that inspire the most loyalty from their fans to also inspire the most passwords.”
Steve Manzuik, Duo Security director of research, told Infosecurity that in a targeted attack scenario an attacker will gather information on the target from public sources such as social media, mailing lists and online forums, and if password or security challenge questions are based off of any information you have shared, including your favorite team, it will be considered when attempting to guess or brute force the password or password reset process.
“The reason we see a lot of people using things like favorite sports teams is because passwords can be hard to remember so most people will use something that is easy for them such as ‘sportsteam123’,” he said. “This is why we typically recommend the use of a password manager; it helps prevent users from using passwords that can be guessed while not having to remember complex strings of characters.”
If the average person has 27 passwords, and the NFL team consists of 53 players, could you use each player as a separate password, such as “24DevontaFreeman” or “Brady12”? Obviously this is not a good idea as any attacker would figure out the pattern fairly quickly, but as David Yates, information security consultant at MWR InfoSecurity pointed out, as people are asked to provide passwords for so many different services these days, for the average person memorability really trumps security. “If you don't know much about state of the art in password guessing, you might not feel that your favorite team is really such a bad password.”
He added: “The key thing to keep in mind with password guessing is that it's automated. A human being might get bored going through, say, a list of the top 100 football players and trying different character substitutions on each one, but a computer won't.
“With automated guessing, especially in the case of offline cracking performed on stolen password hashes, millions of guesses can be made in a reasonably short amount of time. The only secure passwords, at this stage of the game, are strings of random characters or unusual sentences of at least 20 characters.”
So as you sit through another multi-million dollar commercial and contemplate the decision between another beer and putting more chips in a bowl, maybe it’s time to use that timeout period to download a password manager and get some better security.