Most people know passwords matter. But knowing and doing are different things. Here are the ten most common password mistakes — and exactly how to fix each one.
1. Reusing passwords across sites
The single most dangerous habit. When one site is breached, every account using that password is at risk. Fix: use a password manager to generate and store a unique password per site.
2. Using personal information
Your name, birthday, pet's name, hometown, or favourite team are all publicly findable. Attackers use this information to make targeted guesses. Fix: use random passwords with no connection to you.
3. Making passwords "complex" instead of long
P@ssw0rd! is complex but weak. correct-horse-battery-staple is simple but strong. Length beats complexity. Fix: aim for 16+ random characters or 5+ random words.
4. Storing passwords in a text file or spreadsheet
An unencrypted file on your desktop or in Google Drive is not secure. Fix: use a proper password manager with encryption (Bitwarden, 1Password, KeePass).
5. Using SMS for 2FA on important accounts
SMS codes can be intercepted via SIM swapping. Fix: switch to an authenticator app for email and financial accounts.
6. Never changing breached passwords
If a site you use has been breached and you haven't changed that password since, it may be in attacker databases. Fix: check haveibeenpwned.com and change any exposed passwords.
7. Using browser-saved passwords without a master password
Browser-saved passwords without encryption can be accessed by anyone with physical access to your computer. Fix: use a dedicated password manager with a strong master passphrase, or at minimum set a browser profile password.
8. Ignoring "your password was found in a data breach" warnings
Chrome, Firefox, and iOS all flag breached passwords. Many people dismiss these warnings. Fix: take them seriously and change the flagged passwords immediately.
9. Using short passwords because they're "easier to type"
An 8-character password, even fully random, can be cracked in hours with modern hardware. Fix: use a password manager so you never have to type passwords manually.
10. Thinking "I have nothing worth stealing"
Attackers aren't targeting you personally — they're running automated attacks against millions of accounts simultaneously. Your email account alone gives access to every password reset. Fix: treat every account as worth protecting.
✅ One fix to rule them all: Most of these mistakes disappear when you use a password manager. Install Bitwarden (free), import your passwords, and spend one afternoon replacing weak ones with generated passwords. Problem solved.