9 Common Password Mistakes (and How to Fix Each One)

Most compromised accounts are not the victims of sophisticated hacking. They are the result of a handful of ordinary mistakes repeated by millions of people. Here are the nine most common, ranked roughly by how much damage they cause, along with the fix for each.

1. Reusing the same password

This is the big one. When any site you use is breached, attackers try the leaked password everywhere else. Fix: use a unique password per account, which only a password manager makes realistic. See how to stop reusing passwords.

2. Using short passwords

Eight characters is no longer enough, no matter how "complex." Fix: aim for 16+ characters. More on this in how long should a password be.

3. Basing passwords on personal information

Your name, birthday, pet, partner, or favorite team are all guessable, often from your public social media. Fix: use random words or characters with no connection to you.

4. Predictable substitutions

Swapping "a" for "@" and "o" for "0" feels clever but is the first thing cracking tools try. "P@ssw0rd" is effectively as weak as "password." Fix: rely on length and randomness, not substitution tricks.

5. Keyboard patterns

"qwerty," "1qaz2wsx," and "asdfgh" look random but follow the physical layout of the keyboard, which attackers model. Fix: check yours with the keyboard pattern detector and avoid them.

6. Sequential numbers and dates

"123456" remains one of the most common passwords on earth, and "Password2024" is barely better. Fix: never use sequences or the current year as a crutch.

7. Storing passwords in plain text

A notes file, a spreadsheet, or a sticky note on your monitor are all readable by anyone with access to your device or screen. Fix: store passwords in an encrypted manager. On a Mac, Passlock keeps them in the native Keychain, encrypted and offline.

8. Never checking for breaches

A password can be strong and still be compromised if the site storing it leaked. Fix: periodically run your passwords through the password leak checker, which checks them against known breaches without ever sending the full password.

9. Sharing passwords insecurely

Texting a password or emailing it leaves a permanent, unencrypted copy in two inboxes. Fix: use a proper secure-sharing method. See how to share a password securely.

The pattern behind the mistakes

Notice that almost every mistake comes from trying to manage passwords with human memory and habit. The moment you offload generation and storage to a password manager, most of these errors become impossible to make: the manager will not reuse a password, will not pick a short one, and will not base it on your dog's name. Fixing the tool fixes the behavior.