Common Password Mistakes to Avoid
Most account compromises trace back to a handful of avoidable habits. This guide covers the most frequent password mistakes and explains how to fix each one without overcomplicating your routine.
Reusing the same password
When one service suffers a data breach, attackers try those leaked credentials on other sites. If you use the same password for your email and an online shop, a breach at the shop can hand over access to your inbox. Use a unique password for every account, and let a password manager keep track of them all.
Predictable patterns
Adding a number to the end of a word, capitalising the first letter, or swapping letters for symbols (such as replacing "a" with "@") are patterns that cracking tools already account for. These substitutions barely slow an attacker down. Genuinely random passwords, generated by a tool rather than invented by hand, are far more effective.
Using personal information
Names of children, pets, partners, or favourite sports teams are easy for someone to guess, especially if your social media profiles are public. Even a combination of personal details, such as a surname and a birth year, appears in most password dictionaries. Avoid anything an acquaintance or a quick online search could uncover.
Sharing credentials
Sending a password by text message, email, or chat means it may be stored in plain text on multiple devices and servers. If you need to share access, use a password manager's secure sharing feature, which keeps the credential encrypted. Never dictate passwords over the phone if you can avoid it.
Ignoring breach notifications
When a service notifies you of a breach or you see your email on a breach checking site, act quickly. Change the affected password straight away, and change any other account where you used the same credential. Enable multi-factor authentication wherever it is available.
Weak recovery email
Your recovery email address is the backdoor to almost everything. If an attacker gains access to it, they can reset passwords across your other accounts. Protect your primary email with a strong, unique password and multi-factor authentication. Treat it as the most important account you own.
Frequently asked questions
Is writing passwords on paper a mistake?
It depends on the context. A written note stored in a locked drawer at home is safer than reusing a weak password everywhere. However, a password manager is more practical for day-to-day use because it auto-fills credentials and works across devices.
Should I change all my passwords regularly?
Routine changes are no longer recommended by most security bodies, including the National Cyber Security Centre. Change a password when you believe it has been compromised, not on a fixed schedule.