Keeping Football on the Pitch and Out of Passwords this World Cup

The Messi versus Ronaldo debate returns, but this time it’s not about who is the best footballer but about which name has appeared the most within Specops’ Breached Password Protection list.

World Cup Trophy
FIFA World Cup Trophy

With the FIFA 2022 World Cup in Qatar kicking off we’ve continued the theme of analyzing over 800 million compromised passwords (a subset of our larger Breached Password Protection list of over 4 billion known compromised passwords) against popular events to see which related terms are contained within compromised passwords.

Most eyes and ears will be glued to the World cup for the next four weeks with the historical event likely to dominate headlines. But be vigilant, hackers are known to use events like the World Cup and other professional sporting events as an opportunity to target unsuspecting victims.

Using commonly known terms or phrases for passwords is seen as low hanging fruit for cybercriminals, as the passwords frequently appear on leaked lists on the dark web and are then used in attacks in order to gain unauthorised access to user accounts and networks.

Darren James, Technical Lead at Specops Software said:

“Once again, we see users scoring an own goal when it comes to making password decisions. As passwords form at least one factor, or provide a “fallback”, in most MFA solutions, we recommend switching to a long and strong passphrase wherever possible. Weak or easily guessable words, such a local or popular sports teams, that might be followed by users in your organization, can be tackled by blocking them within a password dictionary”

In this edition, we looked at World Cup legends, all the countries that qualified for the competition and other World Cup-related terms – you may be surprised who topped the list.

World cup legend rankings

1. Lato
2. Carlos
3. Kane
4. Didi
5. Villa
6. Henry
7. Hagi
8. Milla
9. Xavi
10. Rossi
11. Pele
12. Santos
13. Moore
14. Messi
15. Vava
16. Walter
17. Kopa
18. Ronaldo
19. Monti
20. Zico

While there is no guarantee the more common terms contained within passwords will be attributed to a player every time, it is common for users to choose well know terms and names, and highly likely there is intent when less common surnames appear. Looking at World Cup legends, Grzegorz Lato of Poland’s golden generation topped the list appearing over 174,000 times. Pele, arguably the greatest player ever, landed just outside the top 10 with over 70,000 mentions and the debate is settled— Messi beats Ronaldo, appearing more times in breached password list.

Qualifying international teams

1. USA
2. Iran
3. France
4. Japan
5. Canada
6. Mexico
7. Spain
8. England
9. Brazil
10. Portugal
11. Ghana
12. Germany
13. Australia
14. Wales
15. Poland
16. Argentina
17. Ecuador
18. Qatar
19. Denmark
20. Uruguay

Analyzing the countries that qualified for the World Cup, the host nation Qatar appeared at number 18, but at the top of the list of qualifying countries contained within breached passwords was the USA, at a staggering 1.3 million times, which was more than the rest of the top 20 results combined.

1. Soccer
2. Football
3. FIFA
4. Futbol
5. Voetbal
6. Wembley
7. Fotboll
8. Fodbold
9. Fifaworldcup
10. Futebal

It is often said that football is a universal language. Our research found this is often true within passwords. Soccer tops the related terms list with over 140,000 inclusions with Football coming in 2nd place. England’s international stadium Wembley makes it in to the top 10 appearing over 1,600 times.

Don’t score an own goal this World Cup

Remember in 2014 when the FIFA World Cup Security team accidentally revealed their Wi-Fi password? The password used was b5a2112014 which is brazil2014 in leetspeek. You may think that looks complex and would offer sufficient security, but even if it hadn’t been shown in plaintext on screen for everyone to see, it would only have taken a hacker a few hours to crack.

The longer your password is the longer it will take to crack (check out this detailed guide on password length best practices if you want to learn more).  In addition to a strong password, use additional factors of authentication wherever possible.

Strong passwords need to remain a cyber security priority, they’ve been around for a long time now but users are still making simple mistakes. If you are interested in finding out how many compromised passwords exist in your Active Directory, you can run a free password vulnerability audit with Specops Password Auditor.

Want to stop over 4 billion weak and compromised passwords at the point of creation? Request a trial of Specops Password Policy today.  But if nothing else, tell your end-users to keep the football terms on the pitch, out of their passwords and enjoy the World cup!

(Last updated on November 20, 2023)

Back to Blog