3 Bad Password Security Habits You Need to Break Now

Published On April 26, 2021

Attackers know the most common password security mistakes people make and use that information to target their victims. Here are ways to foil them.

A list of the most common passwords of 2020 shows little change from lists that came before it. According to the findings, “123456” topped the ranking, followed by “123456789,” “picture1” and “password.” Hopefully, your own password security practices are more rigorous than these, but even conscientious computer users can make mistakes that leave them open to compromise. The risk isn’t that criminals are going to repeatedly visit a single website to crack into your account — most sites that house sensitive information cut off repeated access attempts, anyway. The bigger problem is when hackers download a user database and then methodically churn through login and password combinations to crack as many as they can. The dictionary-based and brute-force software they use is so good that experts say attackers can usually unlock more than half of the accounts in just a day or two.

Even the most security-minded people make some basic mistakes that leave them vulnerable. Here are three common mistakes you should stop making right away.

1. Don’t use the same password for multiple sites. More than 53% of Internet users do this, according to SecureAuth, for obvious reasons of convenience. It’s not a serious problem for sites that don’t store personally identifiable information, financial or healthcare records — but you should never use similar passwords to safeguard sensitive information. Once criminals associate a decoded password with a username, they can use bots to visit hundreds of financial, government and health care websites to test those same credentials. If you slipped up and used the same password for online banking as you did for a free news site, you could be at their mercy.

2. Don’t use easily guessed substitutions. Many websites set rules for password security, such as requiring a certain length, a combination of upper and lower-case characters and special symbols. It’s possible to satisfy these rules with simple substitutions, such as “P@$$w0rd,” but you should avoid this temptation. Password cracking software is designed to test for these common swaps first, making your clever tactic a simple nuisance. A better technique is to use substitutions that aren’t obvious, such as “>” for the letter “a.”

3.  Don’t base passwords on personal information. Avoid using your own name, names of family members, birth dates, street addresses, towns and even pet names in passwords. Attackers harvest this information from social networks and feed it into their cracking tools to generate likely password combinations.

So, what should you do? The best password security practice is to choose strings that are lengthy and composed of random letters, numbers and symbols, such as “FH9y5*n0W.” There are many free websites — such as this one — that generate passwords for you using the criteria you specify. There are also many free password managers that store all your passwords in a secure vault so that you only have to remember one.

Easy to Remember, Difficult to Guess

To make your password easy to remember, but difficult to guess, be sure to include three of the four character types listed below: 

• English uppercase letters (e.g. A, B, … Z)

• English lowercase letters (e.g. a, b, … Z) 

• Western Arabic numerals (e.g. 1, 2, 3, … 0) 

• Special characters (non-alphanumeric e.g. !, ?, $, … %) 

Add An Extra Layer of Security

These days, choosing your password wisely should not be your sole strategy to keep your data secure. Multi-factor or dual-factor authentication adds an extra layer of security between you and a hacker. Tools like this ensure that unauthorized access is far more difficult and doesn’t go unnoticed. 

Other quick tips include updating your password every 90 days and never reusing the same password for ten renewals. Whatever tactics you use, the more thought you put behind your password choice, the more difficult it is for a hacker to access your information.