Five Password Mistakes That Put You at Risk Right Now

This is the single most dangerous password habit, and it is extremely common. When a site you use gets breached — and sites get breached constantly, often without public disclosure for months — your email and password combination gets added to databases that attackers use to try logging into other services. This attack is called credential stuffing.

If you use the same password for your email, your bank, and a forum you signed up for five years ago, a breach of that forum potentially exposes your bank account. The forum probably does not take security seriously. Your bank probably does — but it cannot protect you if you hand attackers the key.

What to do: Every account needs a unique password. The only realistic way to manage this is a password manager (1Password, Bitwarden, and Dashlane are well-regarded options). You only need to remember one strong master password; the manager handles the rest.

P@ssw0rd. Tr0ub4dor&3. These look complex — uppercase, numbers, symbols — but they are trivially crackable by modern tools. Attackers know that people substitute @ for a, 0 for o, and 3 for e. These substitutions are baked into every serious password-cracking dictionary.

Password strength is primarily about length and unpredictability. A randomly generated 20-character password is vastly stronger than a clever-looking 10-character one with substitutions. The goal is not to fool a human reader — it is to be resistant to automated guessing that can try billions of combinations per second.

What to do: Use your password manager to generate passwords of at least 16–20 random characters. You do not need to remember these — that is the point. For the passwords you do need to remember (like your manager's master password), use a passphrase: four or five random words strung together are both memorable and extremely difficult to crack. "correct horse battery staple" is the classic example.

Even a strong, unique password can be compromised — through phishing, malware on your device, or a breach that exposes hashed passwords that get cracked over time. Two-factor authentication (2FA) adds a second layer that attackers need to defeat even if they have your password.

SMS-based 2FA (receiving a code by text message) is better than nothing, but it is vulnerable to SIM-swapping attacks where an attacker convinces your carrier to transfer your number to their device. Authenticator apps (Google Authenticator, Authy, or the 2FA built into your password manager) are significantly more secure.

What to do: Enable 2FA on every account that supports it. Prioritise your email account (if attackers control your email, they can reset every other password), your password manager, and financial accounts. Most major services support authenticator apps — check the security settings.

"What was the name of your first pet?" "What street did you grow up on?" These questions were designed decades ago as a backup authentication method. The problem is that the answers are often publicly discoverable — from social media, public records, or simple conversation — and attackers know this.

More insidiously, security questions give a false sense of security. Users feel they have added protection, when in reality they have added a second, weaker authentication path that bypasses their password entirely.

What to do: Never answer security questions truthfully. Instead, treat them as additional password fields and generate random answers, storing them in your password manager. "What was the name of your first pet?" — "Xk7#mN2pL9". Your cat's actual name is irrelevant.

Many people are walking around with compromised credentials and have no idea. A site they used years ago was breached, their email and password hash were stolen, the hash was cracked, and their credentials are now available to any attacker willing to pay a small fee or visit the right forum.

The service Have I Been Pwned (haveibeenpwned.com), created by security researcher Troy Hunt, lets you check whether your email address appears in any known data breaches. It is free, well-maintained, and does not store your data in a way that would compromise you further. You can also check whether specific passwords appear in breach databases — without handing over the actual password.

What to do: Check your email addresses on Have I Been Pwned today. If any appear in breaches, change the passwords for those services (and any other accounts where you used the same password) immediately. Consider signing up for breach notifications so you find out quickly in the future.

If you do one thing after reading this, set up a password manager and migrate your most important accounts to unique, generated passwords: your email, your bank, and anything connected to your financial or personal identity. This alone addresses the most common attack vectors and gives you a foundation to build the rest of your password hygiene on.

The cost is an hour of setup and a small adjustment to how you log in. The benefit is removing the most likely path an attacker would take to access your accounts. It is one of the highest-leverage security improvements available to a non-technical person — and it requires no technical skill to implement.