Premier League Clubs May Want to Be Relegated from This Breached Password List

Chelsea, one of England’s most successful football clubs, can add another trophy to their record today, as they rank in first place on Specops’ breached password list.  

This is according to our new research, ahead of the start of the Premier League 2021 season, which analyzed more than 800 million compromised passwords (a subset of our larger list included with Specops Breached Password Protection of over 4 billion passwords) to determine the popularity of Premier League teams appearing on compromised password lists. In total, our research found that ‘Chelsea’ appears within breached password lists almost 66,000 times. 

Liverpool, Arsenal, Everton and Aston Villa round out the top five teams identified in our analysis. In contrast, Brighton and Wolves are the least likely Premier League club names to be used in passwords, our research found. 

The complete rankings: 

1. Chelsea 

2. Liverpool 

3. Arsenal 

4. Everton 

5. Aston Villa 

6. Watford 

7. Burnley 

8. Manchester United 

9. Leeds United 

10. Brentford 

11. Southampton 

12. Manchester City 

13. WestHam United 

14. Norwich City 

15. Crystal Palace 

16. Newcastle United 

17. Leicester City 

18. Tottenham Hotspur 

19. Wolverhampton Wanderers 

20. Brighton & Hove Albion 

Hackers are opportunistic and known to take advantage of current events, such as the start of professional sports seasons. Just a few months ago, we published a similar password study on the frequency of Marvel and DC characters found in breached password lists ahead of this summer’s superhero premieres. 

Football clubs by nickname 

Our team also took a look at which Premier League club nicknames top breached passwords lists. When it comes to nicknames, Manchester City tops the list with over 225,000 appearances. Compare that with the least-used nickname, the Canaries at just 599 appearances, though since they were promoted this season, that number may increase. 

1. City 

2. Reds 

3. Villa 

4. Bees 

5. Blues 

6. Eagles 

7. Saints 

8. Whites 

9. Wolves 

10. Spurs 

11. Hammers 

12. Gunners 

13. Foxes 

14. Hornets 

15. Magpies 

16. Red Devils 

17. Seagulls 

18. Toffees 

19. Clarets 

20. Canaries 

Secure password management needs to remain a cyber security priority 

Even as passwordless solutions emerge in the market, passwords remain the primary authentication method – even serving as the backup for when those passwordless solutions fail. Whether organisations are looking to comply with industry guidelines or just secure their Active Directory passwords, a compromised password check is a no-brainer. 

The recent ransomware attack on the US Colonial Pipeline is a stark reminder that the AD password is a critical piece of infrastructure that needs securing. A known breached password used to authenticate a VPN connection was the opening attackers needed to implement their malware, ultimately stealing 100 gigabytes of data and collecting a ransom payment of $4.4 million (about £3.15 million).  

Social engineering and AI-driven ‘spray and pray’ attacks are escalating the frequency and sophistication of attempted credential theft, meaning its easier than ever for an attacker to obtain passwords for nefarious reasons. To help reduce risk, all companies, regardless of size or industry, should at the very least block weak passwords, create compliant password policies and target password entropy to enforce password length and complexity while blocking common character types at the beginning/end of passwords, as well as consecutively repeated characters. 

Contact us today for more information about how Specops can help mitigate your organizations password-driven risks in Active Directory. In the meantime, let’s get ready for the new season by making sure not to use a password that is too easy to guess or is readily found on a breached password list.