5 password habits that put you at risk

Anyone who has gritted their way through a mandatory employee cybersecurity training understands that hackers are gunning for our passwords, which have become the Holy Grails of dark web schemers. A compromised password can give criminals access to everything from your credit card number to your Social Security information, and the fallout can be an enormous hassle. Yet most people are too busy to spend much time thinking about password management or are operating on well-intentioned but extremely dated advice. What can individuals do to stay ahead of the next phishing operation?

Don't use iterations of an existing password

While tempting, using "variations of old passwords" is a strategy that "might offer convenience but can also make passwords predictable to attackers," said Forbes. The temptation to do this is much higher if your organization compels you to regularly update your password because "when forced to change one, the chances are that the new password will be similar to the old one," said the U.K.'s National Cyber Security Centre. That's why forced password expiration is a "dying concept," said the SANS Institute. Nevertheless, if you must update, and your password is TacoTuesday2025*, it would be best not to change it to TacoTuesday2026* next year.

Don't use the same password across multiple accounts

So many bad password habits arise from the difficulty of managing so many accounts, and 78% of respondents in a 2024 survey admitted to recycling passwords across multiple accounts or domains. If you use the same password across a number of domains, you are leaving yourself open to coordinated attacks. Having obtained your skeleton password, hackers will "launch credential-stuffing attacks" by "using those logins to access other accounts," said Dashlane. And because "most online accounts assign your email address as a username, it doesn't take Mr. Robot to crack that code," said PC Mag.

Subscribe to The Week

Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.

SUBSCRIBE & SAVE

Sign up for The Week's Free Newsletters

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

Sign up

Don't use personal details in your passwords

Another extremely common practice that experts caution against is using "your personal details such as your birthday, hometown or pet's name," said the Canadian Centre for Cyber Security. While tying your passwords to easily accessible life experiences, milestones and individual data obviously makes it easier for you to remember, the problem is that using such details increases your risk because they "can be found by a quick search on social networking sites," said the Department of Homeland Security. "More than half of people admitted that they use familiar names in their passwords," including a child's name, a street name or a parent's name, said Security.org.

Don't give your passwords to other people

It may seem like a good deed, a way to save money and an act of protest against the proliferation of streaming services to give your Netflix information to a friend in exchange for their Max login, but sharing passwords is a major security risk. Because "nearly a third of respondents reported using the same password for all their streaming accounts," this risks "moochers sharing passwords with other moochers without the account holder's knowledge or consent," said PC Mag. This also provides another way for hackers and phishers to gain access to your passwords and your vital information. This even includes password sharing with a spouse or domestic partner. "Your own security might be excellent," said Wired, "but if you've shared your credentials, you're at the mercy of the weakest link."

Don't use short or simple passwords

"Something simple, short and predictable" is a "terrible password," said The World Economic Forum. For example, the password "123456" has been "used over 4.5 million times" and "takes less than a second for hackers to crack." That's an example of how a "simple or short password such as a word or name, a sequence of numbers, or combination of these, can be easily guessed by malicious attackers," said cybersecurity expert David Bader. Unsurprisingly, "as character length increases, the total amount of compromised passwords decreases," said Specops Software. Yet only 20% of respondents in a 2021 survey reported using passwords longer than 12 characters.