You've got to stop using your favorite superhero as a password - here's why

The Avengers
(Image credit: Disney/Marvel Studios)

Batman may have top-notch security in his Batcave, but that doesn’t mean you should take inspiration for your passwords.

As a matter of fact, using superhero names as passwords is a common occurrence, making for low-hanging fruit for criminals looking to brute-force their way into online accounts and business networks.

Cybersecurity firm Specops Software recently analyzed more than 800 million breached passwords, looking for those that include the names of Marvel or DC superheroes.

The company found that Loki was the most popular choice, appearing more than 151,000 times, while his brother Thor was used almost 148,000 times. DC characters are also well-represented, with Batman's sidekick Robin featuring in 127,000 breached passwords.

In total, more than 1.1 million breached passwords included mention popular Marvel and DC characters.

Weak passwords

Although no one wants their personal accounts compromised by cybercriminals, businesses have even more to lose as a result of this worrying trend.

For small and medium-sized businesses, poor password hygiene is one of the weakest links in the cybersecurity chain, the report adds. Many high-profile attacks, including the recent Colonial Pipeline incident, start with compromised credentials. 

In order to stay safe, SMBs should focus on robust password policies. There are many measures organizations can take, such as requiring employees to create complex passwords or preventing them from using names of partners, important dates, home addresses and other easily obtainable data.

Businesses should also require employees to create a new password every few months, and make sure they don’t just change the last character when they do. And finally, two-factor authentication should always be enabled where possible, providing an additional layer of protection.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.