Not Even Superheroes Have the Power to Stay Off of Breached Password Lists

(Last updated on June 28, 2021)

Batman or Spiderman? Superman or Thor? Flash or Falcon? The infatuation with and intense debate over Marvel and DC superhero and villain supremacy among comic book aficionados is a year-round musing, but always intensifies during the summer months when the latest flick hits the Big Screen.  

In conjunction with the new Loki (Marvel) series now streaming on Disney Plus, and with the forthcoming premiers of Black Widow (Marvel) and The Suicide Squad (DC), we analyzed the top Marvel and DC comic book characters to appear on breached password lists. This research comes just a few weeks after we revealed the top Star Wars themed breached passwords on May the 4th.  

According to our new research, which analyzed more than 800 million breached passwords, a subset of the more than two billion breached passwords in Specops Breached Password Protection, ‘Loki’ (Marvel) took the top spot, appearing on breached password lists more than 151,000 times. ‘Thor’(Marvel), which appears almost 148,000 times and ‘Robin’, which shows up over 127,000 times round out the top three.   

The top 40 Marvel and DC characters found within breached password lists include: 

PasswordCategory
LokiMarvel
ThorMarvel
RobinDC
JokerDC
FlashDC
BatmanDC
SupermanDC
VisionMarvel
FalconMarvel
PenguinDC
HulkMarvel
WandaMarvel
VenomMarvel
SpidermanMarvel
IronmanMarvel
KatanaDC
HydraMarvel
WolverineMarvel
GambitMarvel
PunisherMarvel
HawkeyeMarvel
GrootMarvel
AntManMarvel
DeadpoolMarvel
ThanosMarvel
CatwomanDC
MagnetoMarvel
RiddlerDC
CyclopsMarvel
AvengersMarvel
MystiqueMarvel
WonderWomanDC
AquamanDC
BlackWidowMarvel
GamoraMarvel
TwoFaceDC
NightcrawlerMarvel
BlackPantherMarvel
GreenLanternDC

In total, the top 80 Marvel and DC characters appear on breached password lists more than 1.1 million times.  

Improving password hygiene must be a top enterprise priority  

Poor password hygiene continues to be one of the primary root causes of cyberattacks. Recently, it was revealed that hackers used a breached password to orchestrate the Colonial Pipeline ransomware attack, which disrupted the oil supply on the East Coast for nearly a week. In fact, passwords that show up on breached password lists leave enterprise email, apps, servers, and devices vulnerable to the unauthorized access needed to initiate a cyberattack. 

To remain secure, companies must implement robust password policies that address weak and compromised passwords, like those that are known to be breached. Specops Password Policy integrates password best practices and guidelines from NIST or CMMC and makes it easier for IT admins to enforce stronger passwords and block weak passwords that appear on breached password lists. 

Fan appreciation of both Marvel and DC characters, and the debate over which universe is the superior comic book world, will live on for a long time to come. But no matter how big of a fan you are, now is the time to update your password should you be using any of the characters found within breached password lists.   

You can also find out if breached passwords like these are being used in your organization’s Active Directory environment with a free read-only scan by Specops Password Auditor.  

Back to Blog