Top 10 Mistakes People Make With Passwords

Top 10 Mistakes People Make With Passwords

We all should know that decent passwords are all that stand between us and a potential security incident. Yet many people end up infected with a virus or with a massive credit card bill because they failed to follow the basics of password security. Here are the 10 things that people keep getting wrong, and ways to make sure you get them right.

Picture by Eric Schmuttenmaer

M#10. Using an obvious password

Security firms regularly generate lists of the most obvious passwords, and the same suspects always pop up. ‘Password’ is perennially popular, as is ‘123456’ and ‘iloveyou’. Your own name is also a common choice. Anyone trying to hack your account will check for these ‘easy win’ options.

It isn’t hard to come up with better passwords that are memorable to you but hard for others to crack. Our basic guide will get you started, and this infographic post offers additional helpful tips.

M#9. Writing your password down

No matter how clever your password is, it provides essentially no protection if it is written out for all to see on a Post-It note stuck to your monitor. And don’t presume that anywhere else in your cubicle is a better choice: IT workers and potential felons know all the obvious places to look. Remember: your password is basically useless once you write it down. You need to remember it.

M#8. Using the same password everywhere

Using exactly the same password on every site or service that needs one means you’ve only got one password to remember. But that minor benefit is entirely offset by the unpleasant corollary: if someone cracks your password for one service, they’ll have access to everything. It’s a dumb move, and you simply shouldn’t do it.

Many people adopt a multi-tiered password strategy: keeping unique passwords for crucial services, but using a basic disposable password for sites which force you to sign up but which you don’t expect to use continually. This is better than just having one password, but still not as secure as having a different password for every service.

M#7. Not using additional security features

Many services offer two-factor authentication, where as well as needing a fixed password, you also need a second one-time password, which can be sent via text message or generated via a hardware security token. Google offers that option when signing into your account; many banks also gave this feature. If it’s available, you should take advantage of it. That way, even if someone discovers your main password, they still won’t be able to access the service.

M#6. Making passwords too short

The longer your password, the more secure it is. Many sites now enforce a minimum password length, and often add additional requirements (such as including a mixture of lower-case and upper-case letters, numbers and punctuation). But remember: just because it’s the minimum doesn’t mean you have to stick with it. Every extra character makes the password harder to crack. A 20-character password might be hard to memorise, but 12 characters is definitely achievable.

M#5. Sharing passwords with others

When we asked readers last year if they shared passwords with their partners, more than half of you said you did. It’s lovely that you trust your partners, but we feel sorry for those of you who suddenly discover that love doesn’t always last forever. We’ll say it again: a password someone else knows is much less effective.

If you feel you need to know a family member’s password, there are other tactics you can adopt. If you want to keep track of your kids’ passwords in case of an emergency, a piggy bank can be handy. If you want to make sure family members can sort your online affairs by accessing your accounts after you die, there are services to handle that.

M#4. Not using secure browsing sessions

Especially on public networks, it’s dangerously easy for those with evil intent to steal your passwords if you don’t use HTTPS. Make sure it’s your default choice and you won’t have to stress whenever you’re using an unfamiliar network. Also check out the HTTPS Everywhere extension to maximise your security. [imgclear]

M#3. Not securing your machine when others use it

So someone asks if they can quickly use your machine to go online, and you say “sure”. We applaud your sociability, but we implore you to make sure you protect your privacy. Otherwise, your “friend” might discover something you’d rather they didn’t.

M#2. Not changing passwords regularly

Everyone knows they should change their passwords regularly. Very few people do. Even if you’re using every other strategy in this list, regularly changing passwords ensures that you’re less vulnerable. Set yourself a calendar appointment to update your passwords and stick to it.

M#1. Not using a password manager

Using a password management system ensures that you can achieve most of the other goals on this list easily. We’ve detailed how to set up an any-browser solution, how to audit the system and how to use a USB drive for even more security. There are many password management systems out there; find one you’re comfortable with and use it.

Lifehacker 101 is a weekly feature covering fundamental techniques that Lifehacker constantly refers to, explaining them step-by-step. Hey, we were all newbies once, right?


  • I think to change the password regularly is quite hard to do, since we have multiple mobile devices and it’s really annoying to change all those password at once. We should have solution to change password on those device at once.

  • Also it is much more difficult to enter a complex password on a mobile device. On my PC I copy and paste from KeePass but on my Android device I have to laboriously tap in the characters e.g. typing in something like TcPUs56tVRSrkpGHPbPC is a major PITA. Took me 5 attempts to log into gmail. So I imagine it is a great temptation for naive users to have nice short easy to type passwords. Note I have only had a smart phone for a week so maybe there is a better way to get passwords into it?

    • If the password store that you’re using (IE whatever site you’re logging into) doesn’t hash their passwords first, and salt their hash table second, dictionary phrases are about as useful a password as 123456

      As a fun test, see if you can recover your password. IE if you can have someone email you back your current password. If you can, the password store that you’re using is worthless, and you should assume that the password/username (or email address) combination pair are compromised and public knowledge.

      Password recovery should always be a reset process – where you get a new password. If software can recover your password from a database to send it back to you. A reset process doesn’t prove that the site/resource/whatever actually secures their credential store well. But if it’s not there? You know they haven’t secured it well.

      If you’re curious why this is an issue, imagine you log into facespace+ with

      username: [email protected]
      password: [email protected]$$w0rd!

      how many other websites do you log into with those credentials? Do you use the same password to log into your email? Do you get internet banking statements to your email? Etc. If facespace+ now gets hacked and their password store compromised and your passwords are stored in plain text – the hackers now know that username and password pair. They can go try it at your mail service, and then at every other common website online, where they can harvest more and more information about you. Maybe they just clean out your bank accounts. Maybe they do identity theft and fuck up your credit. Or maybe you work for someone important and they use you as a vector for major espionage activities. That looks great on your resume.

      Even if your passwords are stored in an unsalted hash table, the hackers can then run a rainbow table against it and potentially recover your credentials much more quickly than conventional brute forcing, and insanely quickly if you’ve used the dictionary phrase approach advocated by xkcd.

      • As a note on mixed case and special characters – roughly what percentage of people with ‘secure’ passwords do you figure capitalized the first letter of their password, and then put an exclamation at the end? How many of them do you figure replace vowels from dictionary words with numbers and special characters like a for at? How hard do you figure it would be for a hacker building a dictionary for dictionary attacks, to expand his dictionary to include capitals for the first character, exclamations for the last letter and some basic ‘l33t sp34k’ substitution rules to guess a bunch of common ‘secure’ passwords?

        Randomness is hard to crack. grammar, and l33t sp34k don’t add randomness to your password. They add a constrained set of changes. Instead of growing the dictionary that a hacker has to use to guess your details exponentially – they barely add any overhead at all.

  • i have been using LastPass for almost a year now i have a master password to access it which is about 15 random numbers and according to how secure is my password it would take about 126 years for it to be cracked not sure how accurate this is but it makes me feel more secure

  • Some people have corporate IT that doesn’t allow you to have browser extensions, essentially locking you out of your accounts at work.

    There’s a dead simple solution: use the xkcd method, 4 words, make up a mnemonic or riddle or rhyme related to the site. Easy to enter on mobile devices, easy to remember, unique, long enough etc etc

    Password managers to me seem like a serious false sense of security, eggs in one basket solution, and I’m going to giggle like a little bitch when one of them gets compromised and people’s credentials get exposed, not just for one site a la Sony, but their entire digital life, Facebook, Gmail, internet banking, the lot.

  • This may be an uninformed question, but if you’re using keepass or similar, aren’t you handing someone every single password you have, if they get access to your keepass account? You have only 1 password protecting everything, and it’s carried around on your laptop, phone or USB?

    • I’m using Dashlane and the primary password isn’t carried anywhere – i have one memorized password, they handle the rest. Granted, if that password gets compromised I’m stuffed but I’m confident that this password is secure. Nobody knows it, it’s not written down anywhere, it’s not stored on my computer, it’s not a dictionary word etc etc etc

Show more comments

Log in to comment on this story!