Superhero Passwords Pose Serious Risk to Personal, Enterprise Accounts

Superheroes may be able to save everyone in a fantasy world, but they can’t keep online accounts secure in the digital era, Mozilla warns.

With hundreds of thousands of occurrences in breach datasets, superhero passwords aren’t a strong account protection method, even when the real identities of superheroes are used instead.

Data from breach notification website haveibeenpwned.com reveals that thousands of users choose to protect their online accounts with superhero names, thus weakening their protection.

With more than 328,000 occurrences in breach datasets, Superman is the most commonly used superhero password, followed by Batman (more than 226,000 occurrences) and Spider-Man (slightly over 160,000 occurrences).

Wolverine, Ironman, Wonder Woman, and Daredevil are also popular, emerging tens of thousands of times in datasets.

The real identities of superheroes are also poor choices for passwords. James Howlett/Logan was seen more than 30,000 times in datasets and Clark Kent, Bruce Wayne, Peter Parker and Tony Stark had thousands of occurrences each as well.

If such passwords are used within enterprise environments, they could expose the entire organization to attacks. In fact, even the compromise of a personal account may lead to the gathering of information that, when leveraged in phishing, could help a malicious actor breach an organization.

With the Cybersecurity Awareness month underway, Mozilla decided to raise awareness on the importance of using strong passwords to secure online accounts, and added a password manager in Firefox for Android.

“Passwords are one of the easily compromised components within a company. To mitigate risk, enterprises should either establish a tight password policy or switch to a passwordless model. The latter will be far more efficient,” Mohit Tiwari, co-founder and CEO at Data Store and Object Security (DSOS) provider Symmetry Systems, said.

To ensure additional protection, users should enable two-factor authentication to all accounts that support the feature, and should also use monitoring services that alert them when their accounts appear in data breaches. Using an encrypted connection, such as a Virtual Private Network (VPN), also improves security.

“Users have failed to maintain proper passwords for decades. That will never change. Therefore, innovation must build an easy to use alternative that provides appropriate security with a better user experience. Enterprises have to find the right balance of technology innovation alongside security for traditional models,” Tyler Shields, CMO at cyber asset management and governance solutions provider JupiterOne, told SecurityWeek.

“Passwords are the most misused line of defense in cyber security today. Words are only better than randomized passwords because they can be easily remembered, instead of being written down. In trade off, the password itself is simplified and easier to guess. My recommendation would be to eliminate passwords completely. However, if you must use a password, make sure to use a password manager and incorporate very complex, difficult to guess, randomly generated passwords via those tools,” Shields continued.

Related: IBM: Average Cost of Data Breach Exceeds $4.2 Million

Related: Controversial Web Host Epik Confirms Customer Data Exposed in Breach

Related: Regular Users Can Now Remove Password From Their Microsoft Account