The European soccer championship (a.k.a. the Euros) is stoking maximum football fever, which has slopped over into easy-to-crack passwords. Such as, say, “football.”
That password is of course easy as pie to crack via a dictionary attack – a type of brute-force attack that involves trying thousands of random words as passwords, using sources like every word in Wikipedia’s databases or all of the words from the Project Gutenberg free eBook collection, all of which showed up in the “RockYou2021” word list released to a hacker forum earlier this moth.
Not all of the 8.4 billion entries in the 100-gigabyte RockYou2021 list were breached passwords, Have I Been Pwned creator and maintainer Troy Hunt pointed out at the time, but they’re still useful for cracking.
“This list is about 14 times larger than what’s in Pwned Passwords because the vast, vast majority of it isn’t passwords,” he tweeted. “Word lists used for cracking passwords, sure, but not real-world passwords, so they won’t be going into @haveibeenpwned.”
Beyond dictionary attacks, it’s simpler still to crack a password such as “football” with just a smidge of knowledge about human nature and current events. Unless you’ve been living under a rock for the past few months or aren’t a sports fan, you’ll know that the UEFA European Football Championship is in full swing across Europe. It was rescheduled from last summer due to the pandemic, so this year’s return to the fields is a welcome return for football fans to cheer on their teams.
Football-Related Password Own-Goals
Fans are also using the occasion to be inspired to concoct feeble passwords. The worst of the football-inspired weak passwords is that word “football”: It pops up 353,993 times in the database of 1 billion unique, clear-text, breached passwords maintained by authentication firm Authlogics. In that database, there are “well over 1 million associated with football,” the company said on Wednesday. Some examples:
| Top 5 football terms | Number of occurrences |
| Football | 353,993 |
| Liverpool | 215,842 |
| Chelsea | 172,727 |
| Arsenal | 151,936 |
| Barcelona | 131,090 |
| Total | 1,136,155 |
As Hunt has said in the past, the main issue behind insecure passwords stems from human nature: People who need to create passwords often seek out the path of least resistance, which leads to passwords that they’ll remember but that are insecure. That may include a name of a pet or birthday, which malicious actors can easily find via a quick online search, given that personally identifiable information (PII), pet names and birthdays are often shared freely on social media.
The “mind-boggling” number of football-associated passwords poses an “obvious problem,” Authlogics’ Kate Wotherspoon wrote in the report. “These breached passwords are obviously insecure due to the breach itself, but they also speak to serious problems for other accounts owned by the compromised individuals.” She pointed to Google research showing that 52 percent of people reuse the same password for multiple (but not all) accounts, only 33 percent use a different password for all accounts and 13 percent reuse the same password for all their accounts.
“If your password has been breached on one account, and you are one of the 52 percent of people who reuse their passwords regularly, you might find other accounts which were not breached also compromised,” Authlogics warned.
Same Old Password Problem
Of course, this “obvious problem” has plagued the security industry for years. Poor password hygiene includes password reuse, picking easy-to-guess passwords, or simply by leaving a password moldering. Case in point: It took only one dusty, no-longer-used password for the DarkSide cybercriminals to breach the network of Colonial Pipeline Co. last month, resulting in a ransomware attack that caused significant disruption and remains under investigation by the U.S. government and cybersecurity experts.
Although it’s not clear how the attackers got their hands on the password in the first place, one assumes it can’t have been all that hard, given that the VPN password they used for the Colonial attack showed up in a batch of compromised passwords on the Dark Web, according to Bloomberg.
No surprise there: According to the Verizon 2021 Data Breach Investigations Report, stolen credentials are the primary means by which a bad actor penetrates an organization, with 61 percent of breaches attributed to them. Privileged credentials open a lot of doors, including to a wealth of confidential information that can be leveraged for ransomware or double extortion attacks, where attackers not only paralyze networks but also threaten to publish victims’ compromised data in order to ramp up the pressure to pay the ransom.
At Least Make It ‘Football&^#)479!’
For those who can’t resist using football terms in their passwords, Authlogic passed on these tips to make their passwords stronger:
- Replace the password with a pattern. As opposed to using a word, which is easily recognizable and easily stolen, use a code or pattern formed out of letters or numbers which is unique to you.
- Use a variety of different symbols: A combination of letters (some upper case and some lower), numbers and symbols…This is particularly important if you are insistent on having your favorite football team in your password.
- Try your absolute best to not reuse passwords. While this might mean you need to remember more passwords (or use a password manager) it goes a long way to limiting the damage should one of your accounts become breached.
Granted, people hear these words of advice all the time. They already know that password reuse is dumb, too, but they still do it. If the future of authentication is passwordless, it can’t come soon enough.
Join Threatpost for “Tips and Tactics for Better Threat Hunting” — a LIVE event on Wed., June 30 at 2:00 PM ET in partnership with Palo Alto Networks. Learn from Palo Alto’s Unit 42 experts the best way to hunt down threats and how to use automation to help. Register HERE for free.
