Infinite occurrences in breach datasets, superhero passwords aren’t a strong account protection method, even when the real identities of superheroes are used instead. Data from breach notification website haveibeenpwned.com reveals that many users choose to protect their online accounts with superhero names, thus weakening their protection.

With more than 328,000 occurrences in breach datasets, Superman is the most used superhero password, followed by Batman (more than 226,000 occurrences) and Spider-Man (slightly over 160,000 occurrences). Wolverine, Ironman, Wonder Woman, and Daredevil are also popular, emerging tens of thousands of times in datasets.

The real identities of superheroes are also poor choices for passwords. James Howlett/Logan was seen more than 30,000 times in datasets and Clark Kent, Bruce Wayne, Peter Parker, and Tony Stark had thousands of occurrences each as well.

If such passwords are used within enterprise environments, they could expose the entire organization to attacks. Even the compromise of a personal account may lead to the gathering of information when leveraged in phishing, could help a malicious actor breach an organization.

To ensure additional protection, users should enable two-factor authentication to all accounts that support the feature and should also use monitoring services that alert them when their accounts appear in data breaches. Using an encrypted connection, such as a Virtual Private Network (VPN), also improves security.