The award for the most popular movie used in leaked passwords goes to…

Ahead of Sunday's Oscars awards ceremony, password management provider Specops rolls out the red carpet to reveal its list.

Password management. Laptop with memo sticks on the screen.

Image: designer491, Getty Images/iStockPhoto

"Rocky" might be your all-time favorite movie, but if you're using it as a password, beware. This highly popular, feel-good boxing movie of the 1970s has the dubious distinction of showing up on breached password lists nearly 96,000 times, according to password management provider Specops. Just ahead of Sunday's Oscars, the firm analyzed more than 800 million breached passwords out of a list of 2 billion and is revealing the top 20 movies exposed via breaches.

Trailing close behind Rocky was "Hook," which the firm said showed up in over 75,000 breached password lists, and the "Matrix" at more than 50,000.

Rounding out the top 10 movies found in breached password lists are "Batman," "Psycho," "Superman," "Avatar," "Mummy," "Twilight" and "Star Wars." Specops' list of the top 20 movies found on breached password lists, can be found here.

SEE: How password anxiety is impacting individuals and organizations (TechRepublic)

Strong password hygiene continues to be a significant challenge for many enterprises, midmarket organizations and government agencies, according to Specops.

"While we present this breached password list in good humor, what shouldn't be taken lightly is the negative impact that weak and compromised passwords can have on an organization's cybersecurity risk," the firm said. "Passwords that show up on breached password lists can leave enterprise email, apps, servers and devices vulnerable to the unauthorized access needed to initiate a cyberattack."

Other major events are also a good time to rethink common password usage. In March, in advance of Opening Day 2021, for example, Specops revealed the top Major League Baseball team names that are scoring a homerun for hackers.

Employee passwords are most likely the greater weakness to a company's cybersecurity posture, Specops said. "While an increasing number of organizations are implementing password standards based on corporate security best practices or guidelines from organizations like NIST or CMMC, many companies continue to allow their workers to create passwords with only minimal parameters in place."

Specops cited SolarWinds as an example. "The company at the forefront of one of the biggest cybersecurity events in recent history was taken to task for using 'solarwinds123' as its backup server password," SpecOps said. "While it is believed that an intern, not a full-time employee, may have actually set this password and posted it on GitHub, the lesson learned is that password security must derive from the most senior levels of IT and security within an organization."

Techniques like social engineering and AI-driven "spray and pray" attacks are escalating the frequency and sophistication of attempted credential theft, meaning it's easier than ever for an attacker to obtain passwords for nefarious reasons, the firm said.  At the very least, to help reduce risk, all companies, regardless of size or industry, should:

  • Block weak passwords.
  • Create compliant password policies.
  • Target password entropy to enforce password length and complexity while blocking common character types at the beginning/end of passwords, as well as consecutively repeated characters.

To remain secure, companies need to implement robust password policies that address weak and compromised passwords, like those that are known to be breached, Specops said.

Herb Stapleton of the FBI's Cyber Division shared his tips for good password hygiene:

  • Use strong passwords.
  • Don't use the same passwords for all of your accounts.
  • Make sure those passwords contain a mix of numbers and letters and whatever the protocols of the account you're using call for.

Stapleton also advised businesses to educate employees on how to create a strong password, how to identify phishing emails and to not click on suspicious links.

To find out whether breached passwords like these movies are being used in your organization's Active Directory environment, Specops is offering a free, read-only scan.

By Esther Shein

Esther Shein is a longtime freelance writer and editor whose work has appeared in several online and print publications. Previously, she was the editor-in-chief of Datamation, a managing editor at BYTE, and a senior writer at eWeek (formerly PC Week)...