A Trusted Friend in a Complicated World

12 Password Mistakes That Hackers Hope You’ll Make

Updated: May 29, 2024

Passwords are supposed to keep us safe, but they can be an open door for hackers to attack our finances and identity. Here's how you can protect yourself.

computer code over a key and filling the background
Posteriori/Getty Images

Common mistakes, big problems

Password hacking is in the news with alarming regularity. Recently, thousands of Disney+ customers lost their accounts in a mass hack attack within days of the new streaming service’s launch. As reported by The Market Realist, those hacked accounts were then sold on the dark web. While large-scale attacks like this can make consumers feel helpless, there are steps we can all take to protect our passwords and our data. Some of them are common sense (don’t use the same password for every site!), and some aren’t quite as obvious. Read on to learn the most common password mistakes that hackers hope you’ll make. And while brushing up on your cybersecurity knowledge, make sure you know what happens when you ignore those security warnings on your computer.

Cropped shot of a businesswoman using a mobile phone in a modern office
PeopleImages/Getty Images

Choosing an easy-to-guess password

“Common mistakes people make with passwords make them easily hackable. Those mistakes include using easy passwords like birthdays, creating common passwords like 1234, using brand names, pop-culture references, or sports to create a password.” —Elias Manolopoulos, founder of Aeon Ads. You’ll want to change your settings immediately if you use any of these 25 passwords.

close up of computer keyboard. 2 ampersand, 3 pound, 4 dollar sign, 5 percent
Nastco/Getty Images

Not including enough numbers and special characters

“Try to inject as many symbols and numbers and a variety of characters that make your password fairly unique for an unknown entity to guess but relatively easy for you to remember. Substituting symbols for alphabets is also a good idea as long as the choice of word is fairly complex, so kr3st3v@798! instead of kresteva798! could work, but decades-old p@$$w0rd! would not.” Ax Sharma, cybersecurity researcher and engineer. Here are 7 alarming things hackers can do when they have your email address.

Hand adding an adhesive note showing a hand drawn lock to many other notes attached to the blackboard.
Warchi/Getty Images

Using the same password for multiple sites

“Using the same password to log in to every account is a critical mistake that many people make. Even with just one set of log-in credentials, hackers can log into other sites using the same email and password. They, often correctly, assume that users will have the same password across platforms.” —Alex Heid, Chief R&D Officer at Security Scorecard. These are 20 cybersecurity secrets hackers don’t want you to know.

woman typing on a laptop computer
Eclipse_images/Getty Images

Never changing your passwords

“There are some users who recommend changing your password every year, which is reasonable to consider if it isn’t too much of a burden. However, this can be tedious and unnecessary for power users with hundreds of online accounts that already have strong, unique passwords, so in this case, we just recommend changing new passwords as vulnerabilities to affected services are brought to light.” —Colt Agar, Managing Editor at TheTechReviewer.com. Aside from your phone and computer, here are another 17 everyday things you didn’t know could be hacked.

asterisks to indicate short password
Stadtratte/Getty Images

Creating a password that’s too short

“It is advisable to choose passwords of a significant length, preferably greater than 15. This makes passwords resistant to both online brute-forcing as well as offline hash cracking.” —Sudeep Singh, cybersecurity expert and author of the research paper “Breaking the Crypt”

Broken lock on a computer keyboard -- data security concept
Zimmytws/Getty Images

Ignoring data-breach news

“Data from breaches gets distributed to the bad guys. The data from the LinkedIn breach is out there for anyone to use. If your password gets exposed in one breach, then every account where you reused it is at risk. It is not a question of if your data will get exposed—it is just a matter of when. Unique passwords for each account limits your exposure. Assume you used the same password for 20 sites and one of them gets breached; you now need to change the password on 20 sites instead of one.” —Tom Evans from Ashton Technology Solutions. Be aware of these other clear signs you’re about to be hacked.

Strong and weak easy Password. Note pad and laptop.
Designer491/Getty Images

Opting for impossible-to-memorize passwords

“There are some online password generator services or offline random password generators that generate a long string of random characters which are not possible to memorize. While these passwords look very secure, they are not easy to use due to the difficulty in memorizing them. People who use such long randomized passwords tend to save the passwords on a piece of paper or a note on their phone or computer. This makes the passwords vulnerable to discovery by someone else.” —Singh. Plus, your password recovery questions are insanely easy to hack—and you might be to blame.

Blank lined notebook and a small pencil in the back pocket of denim jeans.
JulNichols/Getty Images

Storing passwords in places that aren’t secure

“There are a number of very secure password-storage services out there. Google has a built-in password manager to its online account that can be used with Chrome and other Google apps. Apple, of course, has its keychain that can store password and account information. And there are third-party providers of password-management services. Unless you fancy carrying around a notebook of passwords at all times—I do not suggest this!—you need to look into one of these solutions.” —Jason David, CEO of Software Portal

close up of hands poised and ready to type on a smartphone
Diego_cervo/Getty Images

Slightly modifying your password

“Everyone does it. You get the pop-up on your screen, ‘Cannot use the same password,’ so what do you do? Add a number at the end of it and we think we’ve hacked the system. Well, research shows that modifying passwords slightly is extremely common and also very predictable.” —Jay Lee, uAcademy.

Computer lcd screen shot with binary code and password text
PN_Photo/Getty Images

Using malicious password generators

“As a rule of thumb, people should not rely on online services that generate passwords. It is a risk. A naive Internet user will not have the ability to inspect the source code of the website to ensure that the password generation is being performed in a safe way or not. Safe password generation would mean that the password was generated entirely using client-side code like JavaScript within the browser and it was never transmitted to the server. So, people are advised to avoid using online password-generating services. Hackers with malicious intentions can set up such websites to lure users to select good, quality passwords while they are caching the generated password.” —Singh

Handwriting passwords with "nhighlight colors written on blue paper note on top of modern white keyboard with wooden office table on background. Login access, data privacy and cyber security concepts.
Vinnstock/Getty Images

Choosing passwords you can’t remember

“I find that the most effective passwords meet a couple of criteria. First, they are complex in length and structure, use no or few words, and can be easily remembered. Phrases from lyrics and rhymes work for me. Take Jack and Jill as an example. There are many different passwords a user could create simply from a nursery rhyme that has nothing to do with your family, pets, dates, or locations and can be easy to remember. J&JwUth3H1ll or J4ckAJ1llwUptH1!! These are strong passwords yet memorable.” —Terry Ray, Senior Vice President at Imperva.

Hands of businessman or designer typing on laptop
Shironosov/Getty Images

Not using a reputable password manager

“How can you keep track of all of these passwords? Not on sticky notes or on files you save to your computer called passwords! We recommend simple-to-use password managers such as LastPass or similar to securely manage your passwords and secret ‘codes.'” —Greg Keller, Chief Strategy Officer at JumpCloud. Next, find out how one click can keep your information safe on public Wi-Fi.