While superheroes are expected to keep the world safe in the movies, in real life they do a poor job of keeping accounts safe when used as passwords, a cybersecurity study finds.

Mozilla, the tech company behind the Firefox browser, reports that superhero names have become quite popular, yet make for weak passwords.

Not-so-secret identities

Based on research using the HaveIBeenPwned.com database, it found that the three most popular superhero passwords that have been found in breached datasets are “Superman” – appearing in 368,397 breaches – followed by “Batman” (226,327) and “Spider-Man” (160,030).

Other fairly popular superhero passwords include “Wolverine” (53,745), “Ironman” (44,175), and a tie between “Wonder Woman” and “Daredevil” (21,756).

Though appearing in their own movies within the Marvel cinematic universe, the following weren’t very popular: “Thor” appeared in 7,133 breached datasets, followed by “Black Widow” and “Black Panther” (4,507 each), and “Captain America” (689).

“And if you thought maybe their real identities might make for a better password, think again,” revealed Mozilla, noting that the same superheroes’ civilian names were also among the most popular weak passwords.

It noted that Wolverine’s real name “James Howlett/Logan” appeared in 30,479 breaches, followed by Superman’s reporter alter ego “Clark Kent” (4,919) and Batman’s billionaire playboy identity “Bruce Wayne” (2,267).

To note, most of the real name-based passwords appeared in far fewer breached datasets, most in under 200 incidents.

Mozilla included a disclaimer that since these numbers are based on manual checks, the current numbers may be higher as of time of publication, with more data breaches continually happening.

The HaveIBeenPwned.com database is a collection of more than 613 million passwords previously exposed in data breaches. This makes them unsuitable for use, as hacking programs are more likely to guess these passwords when trying to break into accounts.

The study was done in conjunction with the 18th National Cybersecurity Awareness Month in the US, which runs annually throughout October.

Safer strategies

Mozilla recommends several strategies to avoid being compromised by weak or easy-to-guess passwords.

This includes saving passwords onto the password manager built into the browser, enabling users to utilise more complex passwords that would otherwise be difficult to commit to memory, especially if it includes a mixture of uppercase and lowercase letters along with numbers and symbols.

This enables the user to access their passwords seamlessly, with most browsers having an option to auto-fill login information when it recognises the page.

It is recommended that users login to their browser and opt for the same one on both desktop and mobile, so that the saved passwords can be accessed easily when moving between devices.

The main drawback of this approach is that should users ever decide to switch browsers, they would need to set up their password management system all over again – a process that can be both complex and time-consuming.

To avoid this, users can opt for third-party password managers, which often offer integration with various browsers. Some of the most popular ones on the market include Dashlane, 1Password and LastPass.

When choosing a password manager, users should also pay attention to whether it is compatible with their entire ecosystem, so that they can easily sync all their devices (iOS and/or Android on mobile, Windows or macOS on desktop).

Those who decide against a password manager should change passwords regularly, use unique passwords for each account, and enable two-factor authentication wherever possible.