Skip to content

Mamma Mia! Compromised passwords are filled with popular music artists

All apologies, but if you use your favorite band as part of your password it’s time to turn around and try something else.

rock concert

Image: iStock/Cesare Ferrari

In honor of the 2021 Grammys, Specops Software has released a new analysis of over 800 million breached passwords to find which best-selling music artists are most frequently included. Topping the list? It’s R.E.M.

More about cybersecurity

The list pulled any entry in Specops’ compromised password database that contained an artist or group name that is included in Wikipedia’s list of best selling musical artists. It’s possible that some of the entries, like R.E.M., could be parts of other words, or bands like Chicago, the Eagles and Pink could refer to the city, the animal or football team, or the color as well. 

SEE: Identity theft protection policy (TechRepublic Premium)

That said, it’s an entertaining look at a common problem: Passwords are frequently reused, and compromised ones that seem popular give attackers easy access to otherwise secure networks.

“This password data release is a fun one that continues to highlight how we humans choose our passwords. We’re pretty predictable, and hackers know this—which is why it’s important to block the use of known compromised passwords,” said Darren James, product specialist with Specops Software.

In all, the 20 artists included in the list are: 

  1. R.E.M.
  2. Cher
  3. Pink
  4. Prince
  5. Kiss
  6. ABBA
  7. Queen
  8. Enya
  9. Drake
  10. Jay-Z
  11. Adele
  12. Eminem
  13. Eagles
  14. Usher
  15. ACDC
  16. Flo Rida
  17. Chicago
  18. Nirvana
  19. Genesis
  20. Metallica

If you could turn back time, you probably wouldn’t give hackers a chance to get the party started. Otherwise it’s probably already too late, so it’s best to see the sign of the times: You can be a gambler but don’t be a fool with your online security. Here are some ways you can avoid taking a chance on bad passwords.

Use a password manager

Password managers are typically protected by a master password, and behind that single login are all the (hopefully unique) passwords for online accounts. Many password managers will even autofill logins as well as suggesting unique, random passwords that are next to impossible to guess or bypass with brute force.

Don’t write it down

Storing passwords in a secured application is one thing, but you should never store passwords on paper, in plain text documents or other easy-to-access records. 

Enable multi-factor authentication wherever possible

Multifactor authentication involves the use of an additional identity verification when logging in to an account. The security of these different forms varies, but by using a one-time code, physical security device, biometrics or other additional factors can go a long way toward securing an account.

IT: Audit passwords

IT security professionals should take an adversarial approach to password security by auditing users with tools like John The Ripper or other software designed to crack passwords. Users whose accounts are cracked should be forced to replace their passwords and trained on proper password hygiene.

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)

Learn good password hygiene

It’s easier said than done, but there are plenty of tricks you can use to make your passwords harder to guess:

  • Never reuse passwords: Breaches are common, and passwords can easily be tied to usernames on other sites.
  • Make passwords long sentences: Instead of one word with some special characters, use a whole sentence or obscure lyrics instead of an artist’s name.  
  • Let password managers auto-generate passwords
  • Beware secret questions: Social media and a bit of investigative work makes them easy to guess when they’re related to personal details. If you can’t skip them be sure to make them long and complex, just like a good password.

Also see