Using Major League Baseball team names as passwords is a homerun for hackers

The Cincinnati Reds, America’s oldest baseball team, may have one of Major League Baseball’s (MLB) worst pre-season odds to win the World Series, but the team sits alone in first place on Specops’ breached password list.

This is according to our new research, in advance of Opening Day 2021, which analyzed more than 800 million breached passwords (a subset of our larger list included with Specops Breached Password Protection of over 4 billion passwords) to determine the popularity of MLB team names and their mascots appearing on breached password lists. In total, our research found that ‘Cincinnati Reds’ appears within breached password lists almost 150,000 times.

The Los Angeles Angels, Tampa Bay Rays, New York Mets and Minnesota Twins round out the top five MLB teams identified in our analysis. In contrast, the Arizona Diamondbacks, Toronto Blue Jays and Oakland Athletics are the least likely MLB team names to be used in passwords, our research found.

The complete rankings:

  1. Cincinnati Reds
  2. Los Angeles Angels
  3. Tampa Bay Rays
  4. New York Mets
  5. Minnesota Twins
  6. Detroit Tigers
  7. Texas Rangers
  8. Chicago Cubs
  9. New York Yankees
  10. Boston Red Sox
  11. San Francisco Giants
  12. Pittsburgh Pirates
  13. Atlanta Braves
  14. Houston Astros
  15. Los Angeles Dodgers
  16. Kansas City Royals
  17. Cleveland Indians
  18. St. Louis Cardinals
  19. San Diego Padres
  20. Philadelphia Phillies
  21. Chicago White Sox
  22. Colorado Rockies
  23. Baltimore Orioles
  24. Miami Marlins
  25. Seattle Mariners
  26. Milwaukee Brewers
  27. Washington Nationals
  28. Oakland Athletics
  29. Toronto Blue Jays
  30. Arizona Diamondbacks

Hackers are opportunistic and known to take advantage of current events, such as the start professional sports season. Just a few weeks ago, we published a similar password study on the frequency of musicians and music groups tied to The Grammy’s.

What about the mascots?

For fun, we decided to research whether or not MLB team mascots also show up in our password list research. While we thought we might find an abundance of Phillie Phanatic, Billy the Marlin, Wally the Green Monster and Mr. and Mrs. Met, each of those famous mascots appeared less than 500 times, with Billy the Marlin only showing up once ( this makes sense when considering just how unpopular the Marlins are these days).

The most popular mascots found within breached password lists includes the Houston’s Orbit, Cincinnati’s Gapper, Detroit’s Paws, Toronto’s Ace, Colorado’s Dinger, Atlanta’s Blooper and Arizona’s Baxter. All of these team mascots appeared at least several thousand times.

2022 weak password report image
Password attacks are on the rise. The 2022 Weak Password Report has insights into just how vulnerable passwords truly are.

The urgent need for stronger password management and authentication

There is perhaps no greater weakness to a company’s cybersecurity posture than employee passwords. While an increasing number of organizations are implementing password standards based on corporate security best practices or guidelines from organizations like NIST or CMMC, many companies continue to allow their workers to create passwords with only minimal parameters in place.

Take SolarWinds as an example: the company at the forefront of one of the biggest cybersecurity events in recent history was taken to task for using ‘solarwinds123’ as its backup server password. While it is believed that an intern, not a full-time employee, may have actually set this password and posted it on GitHub, the lesson learned is that password security must derive from the most senior levels of IT and security within an organization. 

Social engineering and AI-driven ‘spray and pray’ attacks are escalating the frequency and sophistication of attempted credential theft, meaning its easier than ever for an attacker to obtain passwords for nefarious reasons. To help reduce risk, all companies, regardless of size or industry, should at the very least block weak passwords, create compliant password policies and target password entropy to enforce password length and complexity while blocking common character types at the beginning/end of passwords, as well as consecutively repeated characters.

Contact us today for more information about how Specops can help mitigate your organizations password-driven risks in Active Directory. In the meantime, let’s get ready for first pitch by making sure not to use a password that is too easy to guess or is readily found on a breached password list.

(Last updated on June 9, 2022)

darren siegel

Written by

Darren Siegel

Darren Siegel is a cyber security expert at Specops Software. He works as a lead IT engineer, helping organizations solve complex challenges within IT security. Darren has more than 15 years’ experience within Active Directory, IT security, servers, storage, virtualization, cloud, and identity and access management.

Back to Blog