Every day, thousands of accounts are compromised because of weak or poorly managed passwords. The good news? Most breaches are entirely preventable. Here are the 10 most common password mistakes people make — and how to fix them.
Password reuse is single biggest security risk online. When one site gets breached — and it happens more often than you think — attackers immediately try that email and password combination on every major platform (banking, email, social media). This is called credential stuffing, and it works because the average person reuses the same password across 5+ sites.
Fix: Use a unique password for every account. A password generator makes this effortless.
Your pet's name, your birthday, your anniversary, your child's name — these are the first things attackers guess. With social media, most of this information is publicly available. A 2023 analysis of leaked passwords found that over 15% contained a common name or birth year.
Fix: Generate random passwords that contain no personal information whatsoever.
Every character you add exponentially increases the time needed to crack a password. An 8-character password with mixed case and numbers can be cracked in under 5 hours by a modern GPU. A 16-character password with the same character set would take millions of years.
Fix: Use passwords that are at least 16 characters long. Longer is always better.
Attackers use dictionary attacks — trying every word in the English (and other) languages — as their first step. Even variations like "P@ssw0rd!" are well-known substitutions that cracking tools handle automatically. Oxford English Dictionary has over 170,000 words, but a GPU can test billions of combinations per second.
Fix: Use completely random character sequences, not modified words.
Physical security is often overlooked. Passwords written on sticky notes, in notebooks, or saved in unencrypted text files are visible to anyone who walks by your desk or accesses your device. A 2024 study found that 1 in 3 office workers still keep passwords on visible sticky notes.
Fix: Use a password manager instead. You only need to remember one master password.
Even the strongest password can be compromised if a site you use is breached. Two-factor authentication adds a second layer of protection — a code sent to your phone, an authenticator app, or a hardware key. Accounts with 2FA enabled are 99.9% less likely to be compromised.
Fix: Enable 2FA on every account that supports it. Use an authenticator app, not SMS, when possible.
Routers, IoT devices, and old accounts often ship with default passwords like "admin" or "password". These are publicly documented and the first thing attackers try when scanning for vulnerable devices. Even accounts you created years ago may have been part of a data breach you never heard about.
Fix: Change default passwords immediately. Use Have I Been Pwned to check if your email has appeared in known breaches.
Sending passwords through email, SMS, or messaging apps stores them in plain text on third-party servers. If those services are ever breached, your passwords are exposed. Even if you trust the recipient, you're creating a permanent record of your credentials.
Fix: Share credentials through a password manager's secure sharing feature, or use a temporary one-time link.
The strongest password in the world won't protect you if you type it into a fake login page. Phishing attacks have become increasingly sophisticated, with attackers cloning real login pages and using urgent language to trick you. The Anti-Phishing Working Group reported over 5 million phishing attacks in 2024 alone.
Fix: Always check the URL before entering credentials. Bookmark important sites instead of clicking links in emails.
The single best habit you can adopt is using a password generator for every new account. Human-generated passwords follow predictable patterns — we favour certain letters, avoid difficult characters, and create passwords we can pronounce. Password generators have none of these biases and produce true random output.
Fix: Use a quality password generator like PassGenerator, which uses crypto.getRandomValues with Fisher-Yates shuffling for true randomness.
Ready to create truly secure passwords?
No sign-up. No data uploads. Everything runs in your browser.
Generate a Secure Password Now →