As college football kicks off, avoid putting your favorite team in your password

Being true to your school could cost you.

Bree Fowler Senior Writer
Bree Fowler writes about cybersecurity and digital privacy. Before joining CNET she reported for The Associated Press and Consumer Reports. A Michigan native, she's a long-suffering Detroit sports fan, world traveler, wannabe runner and champion baker of over-the-top birthday cakes and all-things sourdough.
Expertise cybersecurity, digital privacy, IoT, consumer tech, smartphones, wearables
Bree Fowler
4 min read

Heads up, Florida fans: You might get chomped if you put "Gator" in your passwords. 


You might think that you're being clever with a password like GatorGirl!, HokiesFan72 or GoUtes?, but those shoutouts to college football teams might be putting your online accounts at risk.

According to a new study released ahead of this week's official kickoff of the college football season, it isn't uncommon for people to identify themselves as, for example, a Florida, Virginia Tech or Utah fan in the passwords they use for their online accounts.

The research published by Specops Software, a Stockholm-based security company, shows that the names, nicknames and mascots of Division 1 football schools are among the most popular choices for passwords within a trove of 800 million compromised logins it analyzed. Nearly one in 10 entries used a college football team reference, according to the report, which focused exclusively on the top college teams.

Like the preseason polls that rank the strength of top football teams, the Specops study lists the top 25 schools most mentioned in its breached password lists. 

Topping the Specops rankings is Georgia Tech, followed by Kansas and Florida. Each of those schools showed up more than 5 million times. (On the gridiron, only Florida is currently ranked in the AP Top 25 football poll).

The team mascots most frequently mentioned were the Utah Utes, Florida Gators and New Mexico Lobos. It's worth mentioning that the researchers excluded nicknames used either by multiple schools or by professional sports teams. That weeds out teams called the Tigers, Bulldogs and Cowboys.

It's difficult to say why certain schools rose to the top of the rankings, while others didn't, said Darren James, the head of internal IT at Specops. But easy-to-guess passwords are a mistake, particularly if they provide access to sensitive information, he said.

"These days, we all have so much personal information in the cloud, and on social media ... they're the keys to our identity," James said in a video call. "We need to protect ourselves and keep them safe."

The report isn't the first time Specops found peoples' fandom leading them to poor password choices. The company previously found similar patterns among fans of English Premier League soccer clubs, Marvel and DC comic book characters, and the Star Wars franchise.

Still, the volume of the college football schools and mascots was stunning. Combined, the nicknames, college teams and mascots appeared more than 77 million times on the stolen password lists.

The more popular the words used in your passwords are, the more likely they'll be guessed by cybercriminals, James says. If an attacker already knows where you went to school, info you likely posted to social media, that's going to be an assumed starting point. 

Tips for good passwords

Here are some ways to take the pain out of passwords, while making sure that you're using good ones:

Longer is better. More than 15 characters is best. At that point, you don't have to worry so much about password-cracking software. And, to make it easy to remember, create a pass phrase rather than a password.

James recommends using a combination of three unrelated words that have meaning only to you. That means no song titles or famous quotations.

Of course, you could still use your favorite college football team, then combine it with your aunt's middle name and the food you most despise. Throwing in a special character, preferably somewhere in the middle, doesn't hurt, either, he says.

Resist the temptation to repeat. Even the best passwords can be stolen and compromised, So limit the fallout by making sure you set unique passwords for all of your accounts. Sure, that could be a lot to handle since we're recommending 16-character or longer pass phrases.

If you need help, sign up for a password manager. There are both free and paid options out there. And many internet browsers can help you out with this, though they don't always work across your various devices. 

Keep your details off social media. If you're going to incorporate the name of your favorite English soccer team, don't tweet photos of yourself wrapped in their team scarf, James says.

And stay away from those quizzes you see posted on Facebook that ask you a series of seemingly harmless questions in order to tell you what city you should live in or what your ideal vacation spot would be. They may be a lot of fun, but they collect personal information that could be used to crack your passwords down the road.

Always use 2FA. If your password does get compromised, a second layer of protection will go a long way toward saving your butt. Two-factor authentication, also called multifactor authentication, requires that someone trying to access your account enter a second form of identification. It could be a code generated by an app, a biometric like a fingerprint or facial scan, or a physical security key that you insert into your device.

Yes, this can slow the login process. But if 2FA is available, turning it on is a must.

One word of warning: If you can, avoid 2FA systems that text a code to your smartphone. SIM swapping -- where cybercriminals steal your phone number by calling your wireless provider and having them switch your number to a new phone and SIM card -- does happen.

And if a criminal takes over your phone number, they'll get that text message, too.