The biggest password mistakes to avoid making

A laptop viewed from the side with a person typing on it. Their hands are lit up by the laptop's backlight
(Image credit: Unsplash/Glenn Carstens-Peters)

Whether you're a complete tech junkie or an online novice, you'll be familiar with passwords. You'll also probably be aware that your passwords might not be as strong as they should be.

Research by password manager NordPass found that of the 200 most common passwords, 70% of them can be cracked in under a second. Likewise, cybersecurity company Keeper Security found that three-quarters of people do not follow password guidelines, with two-thirds using weak or identical passwords across multiple accounts.

While not all passwords are created equal, Nord’s research found that the strongest passwords are reserved for financial accounts while streaming accounts have the weakest—the evidence is clear; in general, people are neglecting at least some of their password safety.

You may think that the password for a streaming account is small potatoes and that hackers simply wouldn't care about accessing your account, but using weak passwords can have far-reaching, unintended consequences.

I'll explore the top password mistakes you shouldn't be making and why, no matter the account they're protecting.

Reusing passwords across multiple accounts

While people may know that they're not supposed to reuse passwords across multiple accounts, the majority still do. A survey by Google found that 65% of people reuse passwords, with 13% reusing the same password across all accounts. Likewise, a survey by LastPass found that while 91% of respondents said they recognized the risks of reusing passwords, 59% said they did so anyway.

While you may think reusing passwords is easy and convenient—after all, it means you only have to remember one password instead of a dozen—it actually leaves you vulnerable to cyberattacks. By reusing passwords, you open up as many accounts as the password is reused for to hackers if that password is revealed in a data breach.

Cyberattacks which involve cybercriminals using dozens of combinations of login information exposed in previous breaches in an attempt to gain access to victims' other accounts are known as credential stuffing attacks, as hackers 'stuff' login information into login portals until they gain access. These cyberattacks can have far-reaching consequences.

In October 2023, the customer information (including account, health and phenotype, area of origin, and identification information including photos) of 13 million 23andMe customers was discovered for sale on the dark web. It was later revealed that 23andMe had sent a letter to those affected by the data leak, informing them that cybercriminals had gained access to this customer data as said customers had "negligently recycled and failed to update their passwords following past security incidents unrelated to 23andMe", meaning that the cybersecurity incident was "not a result of 23andMe’s alleged failure to maintain reasonable security measures".

While many felt it was unfair of 23andMe to blame the cybersecurity incident on their customers, with one of the lawyers representing the victims in a class action lawsuit calling it "nonsensical" and "shameless", this extensive data leak does demonstrate how dangerous reusing login information can be.

Often, companies will send notices to accounts whose data has been revealed in a breach. If you use a password manager, you also may receive notices alerting you to a compromise. However, if you are still unsure about whether or not your passwords have been made public, HaveIBeenPwnd.com is a free resource that can reveal what information about you has been exposed in data breaches.

If you are struggling to remember multiple different passwords, a password manager is a great solution. There are a number of different options, both free and paid, which will not only save your login details for you, but also suggest strong passwords that are less likely to be guessed by hackers.

Not using complex passwords

Reusing passwords is not the only password mistake you can make. Using simple, easily guessed passwords is also a big no-no.

You may have been annoyed by sites that require you to use 8-14 characters, special characters, numbers, and/or capital and lowercase letters before deeming your password 'strong' enough, but this inconvenience ultimately ensures your cyber-safety.

If you use weak passwords, you are leaving your account open to hackers who wish to steal your, or your company's, data. Hackers launch 'brute force' attacks, using trial and error to guess passwords or other login credentials, and gain access to accounts. This can either be done manually or by using software that inputs the passwords for them. Using weak passwords makes guessing easier for hackers, and allows them to access your or your company’s accounts far more easily.

The ramifications of brute force attacks can be seen in the October 2023 shutdown of one of Taiwanese hardware vendor QNAP’s servers. The server was shut down after the company discovered that it was being used as part of a large-scale brute force hacking attempt against internet-exposed network-attached storage (NAS) devices. In their advice to those looking to protect their endpoints from brute force attacks, QNAP strongly recommended disabling admin accounts, avoiding using weak passwords, setting up strong passwords for all accounts, and making sure that passwords are regularly updated.

Complex passwords are at least eleven characters long, and consist of a range of upper and lower case letters, numbers, and special characters, e.g. &, * or !. You may argue that this makes them harder to remember, and while this is true, this is where password managers, with their ability to both generate and save passwords, come in handy. They don’t even need to cost a penny, either, with many great free password managers out there.

Using passwords that contain personal information

Some folks include personal information, like birthdates and pet names, to help them remember passwords. You might think that these things are unique enough to you that they won't be guessed but, unfortunately, this isn't the case.

Personal information can be accessed during other data breaches. Once this information is made available to cybercriminals via sale on the dark web, they can then use this information to access other accounts. 

In January of this year, mobile network operating company Orange Spain suffered a major outage after a hacker obtained a "ridiculously weak" password for Orange Spain’s RIPE Network Coordination Center (RIPE NCC) account, which controls and manages the mobile network’s internet traffic.

The hacker, under the alias "Snow", bought the password, which had been obtained after an Orange Spain employee's device became infected with malware, from the cybercriminal responsible for the malware attack via the dark web. Using the password ("ripeadmin"), Snow was able to access Orange Spain's RIPE NCC admin account. They were then able to make changes to Orange Spain’s global routing and deny service to customers of the mobile network.

This is not the only time that weak passwords have led to cybercriminals breaching a company network. In September 2023, software company LogicMonitor suffered a data breach which was allegedly caused by the use of weak passwords.

A victim of the data breach said that the data breach was caused by an employee using a weak, default password which is used across all user accounts when a new employee joins the company. As this password was not changed, hackers were able to gain access to the company's network.

The key to avoiding these cyber attacks is to use passwords that do not contain any personally identifying or obvious information. One way to do this is to create a 'passphrase', a sentence made up of seemingly random words. These passphrases can be as little as eight characters but can go up to 100 characters. When creating a passphrase you should avoid using well-known quotes or phrases, as these make the passphrase easier to crack. 

Alternatively, use a password generator to come up with strong passwords that are both random and unique. 

However you come up with your complex passwords, they can then be saved using a free or paid password manager, keeping you, your accounts, and your data safe.

Olivia Powell
Commissioning Editor for Tech Software

Olivia joined TechRadar in October 2023 as part of the core Future Tech Software team, and is the Commissioning Editor for Tech Software. With a background in cybersecurity, Olivia stays up-to-date with all things cyber and creates content across sites including TechRadar Pro, TechRadar, Tom’s Guide, iMore, Windows Central, PC Gamer and Games Radar. She is particularly interested in threat intelligence, detection and response, data security, fraud prevention and the ever-evolving threat landscape.