Premier League Clubs May Want to Be Relegated from This Breached Password List

Chelsea, one of England’s most successful football clubs, can add another trophy to their record today, as they rank in first place on Specops’ breached password list.  

This is according to our new research, ahead of the start of the Premier League 2021 season, which analyzed more than 800 million compromised passwords (a subset of our larger list included with Specops Breached Password Protection of over 4 billion passwords) to determine the popularity of Premier League teams appearing on compromised password lists. In total, our research found that ‘Chelsea’ appears within breached password lists almost 66,000 times. 

Liverpool, Arsenal, Everton and Aston Villa round out the top five teams identified in our analysis. In contrast, Brighton and Wolves are the least likely Premier League club names to be used in passwords, our research found. 

The complete rankings: 

  1. Chelsea 
  1. Liverpool 
  1. Arsenal 
  1. Everton 
  1. Aston Villa 
  1. Watford 
  1. Burnley 
  1. Manchester United 
  1. Leeds United 
  1. Brentford 
  1. Southampton 
  1. Manchester City 
  1. WestHam United 
  1. Norwich City 
  1. Crystal Palace 
  1. Newcastle United 
  1. Leicester City 
  1. Tottenham Hotspur 
  1. Wolverhampton Wanderers 
  1. Brighton & Hove Albion 

Hackers are opportunistic and known to take advantage of current events, such as the start of professional sports seasons. Just a few months ago, we published a similar password study on the frequency of Marvel and DC characters found in breached password lists ahead of this summer’s superhero premieres. 

Football clubs by nickname 

Our team also took a look at which Premier League club nicknames top breached passwords lists. When it comes to nicknames, Manchester City tops the list with over 225,000 appearances. Compare that with the least-used nickname, the Canaries at just 599 appearances, though since they were promoted this season, that number may increase. 

  1. City 
  1. Reds 
  1. Villa 
  1. Bees 
  1. Blues 
  1. Eagles 
  1. Saints 
  1. Whites 
  1. Wolves 
  1. Spurs 
  1. Hammers 
  1. Gunners 
  1. Foxes 
  1. Hornets 
  1. Magpies 
  1. Red Devils 
  1. Seagulls 
  1. Toffees 
  1. Clarets 
  1. Canaries 
2022 weak password report image
Password attacks are on the rise. The 2022 Weak Password Report has insights into just how vulnerable passwords truly are.

Secure password management needs to remain a cyber security priority 

Even as passwordless solutions emerge in the market, passwords remain the primary authentication method – even serving as the backup for when those passwordless solutions fail. Whether organisations are looking to comply with industry guidelines or just secure their Active Directory passwords, a compromised password check is a no-brainer. 

The recent ransomware attack on the US Colonial Pipeline is a stark reminder that the AD password is a critical piece of infrastructure that needs securing. A known breached password used to authenticate a VPN connection was the opening attackers needed to implement their malware, ultimately stealing 100 gigabytes of data and collecting a ransom payment of $4.4 million (about £3.15 million).  

Social engineering and AI-driven ‘spray and pray’ attacks are escalating the frequency and sophistication of attempted credential theft, meaning its easier than ever for an attacker to obtain passwords for nefarious reasons. To help reduce risk, all companies, regardless of size or industry, should at the very least block weak passwords, create compliant password policies and target password entropy to enforce password length and complexity while blocking common character types at the beginning/end of passwords, as well as consecutively repeated characters. 

Contact us today for more information about how Specops can help mitigate your organizations password-driven risks in Active Directory. In the meantime, let’s get ready for the new season by making sure not to use a password that is too easy to guess or is readily found on a breached password list. 

(Last updated on June 9, 2022)

Back to Blog