As the FIFA World Cup continues in the U.S., security experts are warning not to build your passwords around football terminology.

Research conducted by ExpressVPN has found that the use of club and player names or shirt numbers is common among football fans. Almost a quarter of the respondents to a survey of 6,000 football fans across six different countries admitted that they used football-related information in their passwords.

Passwords that contain proper nouns such as “Messi” or “Liverpool” are inherently weak, because they’re vulnerable to dictionary-based attacks where hackers use millions of different password combinations to crack passwords.

“If you look at a team like, let’s say, Manchester United, there’s 25 players,” said ExpressVPN’s cybersecurity researcher, Jeremiah Fowler. “Out of those 25 players, you might have five that are superstars. You could run a query on, let’s say, a thousand variants of their names including special characters, and you’d be able to crack 25,000 [passwords] in milliseconds.”

To make matters worse, many of those who use football terminology in their passwords admit that it would be easy for someone with knowledge of who they support to guess their passwords. Almost three quarters of the U.S. soccer fans admitted their football password would be easily guessable. What’s more, 72% said they reuse passwords or close variations of them across different accounts.

Combining Football Password Data

The problem of using football information in passwords is even more acute when combined with other data. People often flaunt who they support on social media, for example, narrowing down the options for hackers.

Data leaks also prevent another opportunity for cybercriminals. As part of his research, Fowler uncovered a publicly accessible database connected to a major Spanish football club that contained personal data such as names and email addresses of more than 22,000 people.

Those email addresses sometimes contained extra clues, such as using player names (for example leo.messi.xxxx@gmail.com). That could make it far easier for hackers to brute force their way to the password.

Just knowing which club those people support makes them vulnerable to other kinds of attack, too. Fowler said it would make them prime targets for phishing attacks, with fraudsters using fake ticket or shirt ordering scams to get people to click on links that would download malware on to their machines “I was very surprised at how many football-related documents are floating around the internet, unsecured and publicly accessible,” he said.

Fowler found the Spanish football club’s leaked database (now taken offline) in his first five searches for such information. “If I was able to find that, the bad guys can find that too,” he said. “With all of the fraud around major sporting events, you basically have a working list of real email addresses that are real fans.”

Fowler said football fans stuff their passwords with memorable player and club names because they simply cannot memorize all the different passwords required to navigate modern life. “That’s why I swear by password managers,” he said. “It’s really the only way to have complex passwords and credentials for multiple accounts.”