Division 1 College Football Teams and Mascots Keep Showing Up on Breached Password Lists

The Rambling Wreck of Georgia Tech may not have earned a single vote in the AP’s preseason college football Top 25 rankings, but when it comes to appearing on breached password lists, the prestigious university ranks #1.  

In conjunction with the kickoff of the college football season, our researchers analyzed more than 800 million compromised passwords (a subset of our larger list included with Specops Breached Password Protection of over 4 billion passwords) to determine the popularity of Division 1 FBS football programs, and their team mascots and nicknames, appearing on breached password lists.  

In total, our researchers looked at passwords related to top football playing universities, finding that Georgia Tech or (GT), the University of Kansas or (KU) and the University of Florida or (UF) each appear more than 5 million times on breached password lists, while San Jose State University (SJSU), New Mexico State University (NMSU) and the University of Nevada Las Vegas (UNLV) appear the least.  

2022 weak password report image
Password attacks are on the rise. The 2022 Weak Password Report has insights into just how vulnerable passwords truly are.

The complete 2021 Specops Preseason Top 25 

  1. Georgia Tech (GT) 
  1. University of Kansas (KU) 
  1. University of Florida (UF) 
  1. Virginia Tech University (VT) 
  1. Arizona State University (ASU) 
  1. University of Georgia (UGA) 
  1. Old Dominion University (ODU) 
  1. East Carolina University (ECU) 
  1. University of North Carolina (UNC) 
  1. University of Southern California (USC) 
  1. Southern Methodist University (SMU) 
  1. University of Alabama – Birmingham (UAB) 
  1. Louisiana State University (LSU) 
  1. Florida Atlantic University (FAU) 
  1. Brigham Young University (BYU) 
  1. University of South Florida (USF) 
  1. Penn State University (PSU) 
  1. Texas Christian University (TCU) 
  1. Florida State University (FSU) 
  1. Florida International University (FIU) 
  1. Texas A&M University (TAMU) 
  1. University of Texas – San Antonio (UTSA) 
  1. University of Central Florida (UCF) 
  1. University of Texas – El Paso (UTEP) 
  1. University of California Los Angeles (UCLA) 

Additionally, our researchers also looked at popular college football nicknames and mascots appearing on breached password lists. For the purposes of this research, we excluded any nickname used by more than one university or by a professional sports team(s). Exclusions include ‘Bulldogs’, ‘Cowboys’ and ‘Tigers’, among a few others.  

Top 10 Nicknames/Mascots  

  1. Utah Utes 
  2. Florida Gators 
  3. New Mexico Lobos 
  4. Florida State Seminoles 
  5. Akron Zips 
  6. UCLA Bruins 
  7. Oklahoma State Pokes 
  8. Oklahoma Sooners 
  9. Texas Longhorns 
  10. Wisconsin Badgers 

In total, college football team names and mascots appear more than 77 million times on breached password lists.  

Tackling password security risks 

College football fans are incredibly passionate about their schools, particularly those in the  

SEC and Big12 country, so it’s completely unsurprising that so many people incorporate their favorite teams into their passwords. However, in today’s cybersecurity threat landscape, it’s essential that any use of a college football team name or mascot be part of a much larger and complex password, if they are to be used at all.  

Presently, poor password hygiene continues to put both people and businesses at unprecedented risk. Today, passwords are linked to 80% of breaches, and poor password hygiene is an easy entry point for bad actors to exploit in cyberattacks.  

In response to the increase in social engineering and brute force attacks, organizations should at the very least block weak passwords, create compliant password policies and target password entropy to enforce password length and complexity while blocking common character types at the beginning/end of passwords, as well as consecutively repeated characters.  

Don’t let a password breach disrupt your ability to root for and enjoy the upcoming college football season. Find out if breached passwords like these are being used in your organization’s Active Directory environment with a free read-only scan by Specops Password Auditor.  

(Last updated on June 9, 2022)

Back to Blog