Sports Tech
Messi tops Ronaldo in World Cup password breaches
Analysis of compromised passwords reveals a generational shift in football names appearing, weeks before the FIFA World Cup 2026 kicks off.
With the 2026 FIFA World Cup just weeks away, new research from Specops, an Outpost24 company, reveals that Lionel Messi outranks Cristiano Ronaldo by a clear margin in one of the more unexpected matchups of the year: their frequency of appearance in breached password datasets.
Drawing on a database of more than 6.4-billion breached passwords, Specops researchers found Messi appearing more than 1.2-million times, against Ronaldo’s roughly 923,000 occurrences, a difference of around 26%. The release coincides with the addition of 300 million newly compromised passwords to Specops Breached Password Protection, sourced from the company’s honeypot network and threat intelligence feeds.
Top 10 player names by occurrence in breached password data
| Rank | Player | Occurrences |
| 1 | Messi | 1,221,563 |
| 2 | Vinicius | 1,198,898 |
| 3 | Salah | 1,123,062 |
| 4 | Saka | 1,019,325 |
| 5 | Kane | 987,335 |
| 6 | Ronaldo | 923,582 |
| 7 | Fernandes | 804,159 |
| 8 | Gavi | 683,831 |
| 9 | Isak | 682,702 |
| 10 | Pedri | 394,639 |
The breakdown reveals a generational shift in the data. Five of the top ten names (Vinicius, Saka, Gavi, Isak, Pedri) represent players who emerged in the past few years, while Salah and Kane represent the established stars. This mix suggests that password choices are not just legacy habits, but reflect the players fans are watching now. It also reflects rather poor choices in the legacies parents hand down to their children.
Top 10 widely supported clubs in breached password data
| Rank | Team | Occurrences |
| 1 | Roma | 5,340,687 |
| 2 | Porto | 517,505 |
| 3 | Barcelona | 474,842 |
| 4 | Lyon | 427,824 |
| 5 | Valencia | 427,480 |
| 6 | Napoli | 363,189 |
| 7 | Chelsea | 362,311 |
| 8 | Everton | 351,011 |
| 9 | PSG | 331,641 |
| 10 | Arsenal | 311,740 |
Roma tops the table with 5.3-million occurrences, well clear of the chasing pack, though that lead almost certainly owes more to the city of Rome than to AS Roma fans. Honorable mentions go to Liverpool, edged out of the top 10 by Merseyside rivals Everton by more than 90,000 occurrences: a rare derby win for the blue half of the city. But… Everton?
Why football names make weak passwords
People need to remember an ever-growing list of credentials, so they reach for what is easy to recall: a favorite player, a long-supported club, a historic win. The same qualities that make these passwords memorable also make them predictable to attackers.
Recent infostealer dumps confirm the pattern. Examples of real compromised passwords pulled from one of the largest recent dumps include:
- Cristianoronaldo7@@
- Cr7ronaldo@?
- zidaneisbetterthanmbappe1234
- lionelmessithebest10
- lionelmessithegoat10
- mrs_kylianmbappe
- kylianmbappeg04t
A password like “Cr7ronaldo@?” meets common complexity rules and feels secure, but if an attacker knows the user is a Ronaldo fan, the password becomes fairly predictable even before it is leaked. Attackers do not type passwords manually. They run wordlists through tools such as Hashcat or John the Ripper and apply rule-based mutations: appending years, swapping letters for numbers, adding symbols. Once a popular term lands in a wordlist, every plausible variation comes for free.
Breached password datasets compound the problem. Each new leak of “Cr7ronaldo” or a variant gets prioritized more aggressively in the next round of attacks, and users tend to reuse or only lightly modify passwords, so a football-themed credential compromised in one context can quickly become an entry point elsewhere.
Defending against credential-based attacks
To reduce the risk that predictable, breached, or guessable passwords introduce into enterprise environments, organisations should consider:
- Enforcing a minimum password length of 15 characters, or providing support for longer passphrases.
- Requiring multiple character classes: uppercase, lowercase, numbers, and special characters.
- Implementing a custom dictionary that blocks popular words and terms relevant to the organisation.
- Using a breached password database to prevent users from selecting compromised passwords.
This month’s update to Specops Breached Password Protection also adds more than 4.6-million newly compromised passwords to the express dataset used by Specops Password Auditor, helping organizations identify password risk more accurately. Specops Password Auditor performs a read-only scan of Active Directory and provides a complimentary report on weak policies, breached credentials, and stale or inactive accounts. Specops Password Policy with Breached Password Protection extends this to ongoing protection, scanning Active Directory against more than 6.1-billion known compromised passwords on a continuous basis.
The findings were produced by the Specops Research Team.
