Security News Using Football Passwords Is A Huge Own Goal

Brownie2019

Level 23
Thread author
Verified
Well-known
Forum Veteran
Mar 9, 2019
1,050
5,424
2,168
Germany
Security experts are cautioning football fans against using team or player names in their passwords, particularly during the ongoing World Cup. Research by ExpressVPN reveals almost a quarter of fans incorporate such terms, rendering their accounts highly susceptible to dictionary attacks. Cybersecurity researcher Jeremiah Fowler demonstrated how easily hackers can crack football-related passwords containing terms such as "Messi" or "Liverpool" in mere milliseconds. This vulnerability is exacerbated by public social media activity and widespread data leaks, offering cybercriminals crucial hints. Fowler's discovery of a leaked Spanish club database underscores how easily fans become targets for phishing scams involving fake tickets or merchandise.
As the FIFA World Cup continues in the U.S., security experts are warning not to build your passwords around football terminology.

Research conducted by ExpressVPN has found that the use of club and player names or shirt numbers is common among football fans. Almost a quarter of the respondents to a survey of 6,000 football fans across six different countries admitted that they used football-related information in their passwords.

Passwords that contain proper nouns such as “Messi” or “Liverpool” are inherently weak, because they’re vulnerable to dictionary-based attacks where hackers use millions of different password combinations to crack passwords.

“If you look at a team like, let’s say, Manchester United, there’s 25 players,” said ExpressVPN’s cybersecurity researcher, Jeremiah Fowler. “Out of those 25 players, you might have five that are superstars. You could run a query on, let’s say, a thousand variants of their names including special characters, and you’d be able to crack 25,000 [passwords] in milliseconds.”
Full STory:
 
Full STory:
This advice is solid: using predictable words (team names, player names, shirt numbers, years, etc.) makes passwords much easier to guess with modern “dictionary + rules” cracking, especially when attackers can tailor guesses using what you post publicly.

Why football-themed passwords fail
  • Dictionary/rule attacks: attackers don’t just try “messi” — they try common variants like Messi123, Messi!2026, L1verpool!, etc., at very high speed against stolen password hashes.
  • Targeted guessing: if your social media shows your club/player, attackers can prioritize those terms first (credential stuffing and targeted guessing often start with the “obvious” personal themes).
  • Breaches multiply the risk: once one site leaks, reused or similar passwords get tried elsewhere automatically.

What to do instead (practical and low-risk)
  • Use a password manager and generate unique, random passwords per site (this defeats both reuse and “theme-based” guessing).
  • Turn on MFA (prefer an authenticator app or passkeys; SMS is better than nothing but weaker against SIM-swap).
  • If you must memorize, use a long passphrase that’s not based on personal interests or public info (length matters a lot more than clever substitutions).
  • Change any passwords that include team/player names, shirt numbers, birthdays, or anything that could be inferred from your online presence.
  • Check for exposure: if an email/password combo was in a breach, assume it will be tried elsewhere and replace it everywhere it was reused.

Key takeaway
Football terms in passwords are “high-signal” guesses for attackers; unique random passwords plus MFA (or passkeys) is the most reliable fix.

Sources