[New research] Golf takes gold: Appears in over 40K breached Olympic sport passwords

Today, the Specops research team is publishing new data on end users choosing their sporting hobbies as passwords. Inspired by the Paris 2024 Olympic Games, we’ve looked at breached passwords that contain sports from the global sporting event as a root term. This follows on from Specops’ parent company Outpost24’s attack surface analysis of the Paris Olympic Games online infrastructure.

The research also coincides with the latest addition of over 122 million compromised passwords to the Specops Breached Password Protection service.

In total, our research team found 157,048 sporting passwords that have been stolen by malware over the past 12 months. These are all real passwords being chosen by end users within real organizations, and they all represent a possible opportunity for a hacker to gain unauthorized access to a corporate system.

Darren James, Senior Product Manager at Specops Software, said this about the findings: “You might not think many people would use their favorite sport as a password, but this data shows they do. Most end users know they shouldn’t use their birthdays, children’s names, or even pet’s names as passwords – because it’s easy for hackers to find that information. However, they’ll still often reach for something familiar and memorable. Using a favorite hobby, film, or musician as your password carries risk too.”

Golf and football are the most breached sporting passwords

In total, we found 157,048 stolen passwords related to the 32 sports being played at this Summer’s Olympic Games. Golf appeared in the most breached passwords by some distance, with a total of 40,294. This was almost twice as many as the next highest, football with a total of 20,550. All of the passwords in this research are now compromised, so organizations are at risk of a breach if hackers are able to connect passwords to an end user and their place of work.

It’s also common for end users to reuse their passwords, so there’s a high chance these compromised passwords are being used across multiple applications. Many will likely be in use as Active Directory passwords too, which represents a serious risk. All of the breached passwords found in this research will be added to the Specops database of over 4 billion compromised passwords that we check against our customers’ Active Directories.

Most common Olympic sports referenced in stolen passwords

And here are some examples of golf-themed passwords that were showing up as compromised. You can see in many occasions, people have added a small amount of numbers or capital letters to meet minimum passwords requirements, and follow the predictable pattern of a single capital, a common base term (in this case golf), and then a number or special character. These are very easy passwords to crack. If you have a blocklist, you may want to consider adding these passwords to it.

breached golfing password examples

Find more compromised passwords in your network

Today’s update to the Breached Password Protection service includes an addition of over 30 million compromised passwords to the list used by Specops Password Auditor. You can find out how many of these compromised passwords are being used by your end users with a quick scan of your Active Directory with our free auditing tool: Specops Password Auditor.

Specops Password Auditor is read-only and doesn’t store Active Directory data, nor does it make any changes to Active Directory. You’ll get an easy-to-understand exportable report detailing password-related vulnerabilities that could be used as entry points for attackers. Download for free here.

Help end users create stronger passwords

Weak and easily-guessable passwords that rely on terms like someone’s favorite sport are highly vulnerable to brute force and hybrid dictionary attacks. Hackers use common base terms to greatly speed up their process for guessing weak passwords. When targeting a specific individual, they can also use social media to narrow down what some likely password options might be. In the case we’re looking at in this research, that might be the fact somebody is a keen golfer. Check out our guide for helping end users create strong passphrase here.

Specops Password Policy with Breached Password Protection protects your end users against the use of more than 4 billion unique known compromised passwords, including data from both known leaks as well as our own honeypot system that collects passwords being used in real password spray attacks. Our continuous scan feature checks all Active Directory passwords against the Breached Password Protection API for compromise once a day – the API is updated daily with newly discovered compromised passwords from our password honeypot system in addition to newly discovered password leaks when they occur.

Interested to see how Specops Password Policy could fit in with your organization? Have questions on how you could adapt this for your needs? Contact us or see how it works with a demo or free trial.

(Last updated on October 22, 2024)

picture of author marcus white

Written by

Marcus White

Marcus is a Specops cybersecurity specialist based in the UK. He’s been in the B2B technology sector for 8+ years and has worked closely with products in email security, data loss prevention, endpoint security, and identity and access management.

Back to Blog