We’ve been using passwords for decades… and somehow we’re still tripping over the same banana skins. If you recognise yourself in any of these, no shame — fix them now and you’ll be miles ahead of most people.

1) Using “123456” or “password”

Why it’s bad: Attackers always try the obvious first. These (and things like qwerty, password1, letmein) are in every cracking list.

How it happens: You needed an account quickly and promised you’d “change it later”. You didn’t.

Fix: Go long and random. Aim for 14–16+ characters (more is better). Use a generator.

Better example: vR4m-Ft6e!Jq82wN

2) Reusing the same password everywhere

Why it’s bad: One leaked password = a skeleton key. Attackers run your email + password against hundreds of sites (credential stuffing).

How it happens: You’ve got dozens of logins and can’t remember them all.

Fix: Use a password manager so every account gets a unique password. If one site leaks, the damage doesn’t spread.

Quick win: Change the reused password on your email, banking, and cloud storage first.

3) Making passwords too short

Why it’s bad: Short = fewer combinations = faster to crack.

How it happens: Old policies forced 8 characters with “complexity”. That’s not enough anymore.

Fix: Go for 14–16+ characters as your default. For Wi‑Fi and anything high value, think 20–24.

Tip: Length beats cleverness. A long random passphrase often wins.

4) Using personal info (names, birthdays, pets, football teams)

Why it’s bad: This is exactly the stuff people can find on social media or with basic sleuthing.

How it happens: You wanted something memorable and picked Spurs2012! or your child’s name.

Fix: No real words, no dates, no favourites. Keep it random and unrelated to you.

Bad → Good:
LandoNorris2025! → mooncup-harbour-socket-6?river

5) Relying on predictable patterns or lazy “complexity”

Why it’s bad: P@ssw0rd! looks fancy but it’s in attacker dictionaries. Keyboard runs like 1qaz2wsx are common.

How it happens: You’ve been told to add symbols and numbers, so you swap letters for look‑alikes.

Fix: Don’t “decorate” a real word. Use truly random characters or random‑word passphrases.

Example: orchid-slate-9/LION-parking

6) Not changing passwords after a breach

Why it’s bad: Once a site leaks, your password is effectively public.

How it happens: You miss the breach email or assume it won’t matter.

Fix (do these in order):

• Change the password on the breached site.
• Change it anywhere else you reused it.
• Sign out of all sessions on that service.
• Rotate recovery options if needed (backup codes, recovery email).
• Turn on 2FA while you’re there.

Pro move: Set up breach alerts for your email address so you don’t miss future incidents.

7) Saving passwords in the browser with no device security

Why it’s bad: If your laptop is stolen or malware lands, saved logins can be exposed.

How it happens: Browsers offer to “save password?” and you click yes forever.

Fix:

• Prefer a dedicated password manager with strong encryption.
• If you stick with browser saving, ensure your device has a strong login, full‑disk encryption, auto‑lock, and no unattended sessions.
• Never export passwords to plain CSV unless encrypted and temporary.

8) Skipping two‑factor authentication (2FA)

Why it’s bad: Without 2FA, one stolen password is enough.

How it happens: It feels like a faff. You’ll “do it later”.

Fix: Turn on 2FA everywhere that matters. Best to OK: security key (best), authenticator app/TOTP (great), SMS (better than nothing, but vulnerable to SIM‑swap). Save backup codes safely.

9) Sharing passwords over email/Slack/WhatsApp

Why it’s bad: Messages are forwarded, archived, and breached. You lose control instantly.

How it happens: You need to share the Netflix login or a team account “just for now”.

Fix: Use your manager’s secure share feature, or create a separate account/role. If you must send one, change it immediately after.

10) Creating something impossible to remember… then writing it on a sticky note

Why it’s bad: Shoulder‑surfers and phone cameras exist. Office cleaners and visitors too.

How it happens: You made a monster password and had to put it somewhere.

Fix: Let the manager remember. If you need an offline backup for a master password, use a sealed notebook in a safe place — not the monitor.

A simple, future‑proof setup

• Use a password manager across phone and computer.
• Generate long, unique passwords for every account.
• Turn on 2FA (prefer authenticator app or hardware key).
• Set breach alerts for your email.
• Review high‑value accounts quarterly (email, banking, cloud, registrar, manager).
• Tip: Need strong passwords fast? Try our generator and passphrase tabs.

Sources & further reading

• NIST SP 800‑63B: Digital Identity Guidelines — https://pages.nist.gov/800-63-3/sp800-63b.html
• UK NCSC: Passwords collection & guidance — https://www.ncsc.gov.uk/collection/passwords
• CISA: Secure Our World — Use strong passwords and MFA — https://www.cisa.gov/secure-our-world/use-strong-passwords-and-password-manager
• Have I Been Pwned — breach checks — https://haveibeenpwned.com/
• Dropbox zxcvbn strength estimator — https://github.com/dropbox/zxcvbn
• Verizon DBIR — credential‑related breach trends — https://www.verizon.com/business/resources/reports/dbir/

Image credit: AI‑generated illustration created for this post.

Found this useful? ☕️ Buy me a coffee