7 Mistakes You’re Probably Making With Your Passwords

We all believe a few more privacy myths than we should. Many of us assume that we’re protected by our browsers’ private modes — we think that we can browse anonymously if we try hard enough. Or, we assume that the emails we send are secure and private. And, some of us even make excuses to avoid thinking about privacy, like assuming that if we’re not doing anything wrong, we don’t need to worry. We believe that if nobody else is worried about privacy, then we don’t have to be either.

If you take the time to think about what privacy you really have online, you’ll probably realize that it’s in your best interest to take at least a few basic precautions to protect yourself on the internet. The easiest way to do that is to start with the simplest unit of internet security: the password. We’ve shared some advice on how to choose the best password, and we’ve made the case for why you need a password manager.

But we all have our limitations, especially when it comes to the time and energy we can spend on things like passwords. Despite our best intentions (or the number of articles we read about our online security), we all still make mistakes in protecting our privacy online. Read on to check out some common mistakes you’re probably making with your passwords.

1. Choosing short passwords

woman typing on laptop

One of the worst password mistakes you can make is choosing passwords that are too short | iStock.com/StockRocket

A short password is an insecure password, no matter how you slice it. At minimum, you should choose a password that’s eight characters long, and you should never use one that’s comprised of fewer than six characters. In general, the longer the better, so somewhere between 12 and 14 characters is a good goal to aim toward. If the website, app, or service allows, you can choose an even longer password in order to add extra protection to critical logins, like for your bank account.

While we’re on the topic of choosing long passwords instead of short passwords, you should also think about expanding your field of available characters beyond the letters of the alphabet. It’s ideal to use a mix of alphabetical and numeric characters and to use a combination of lowercase and uppercase letters. If the app or service in question allows you to use symbols, you should use them as well. 

2. Using passwords that are easy to figure out

Businessman looking at his laptop

Another mistake? Choosing passwords that would be easy for a hacker to guess | iStock.com

Another big password mistake is including predictable words, dates, and phrases in your passwords. You shouldn’t use your name or initials in any form. Don’t use any part of your ID number, user ID, or username. Don’t include common names, and refrain from using the name of a relative or a pet. And avoid including your phone number, address, birthday, or anniversary. You shouldn’t use common acronyms, geographical names, product names, technical terms, or names from popular culture. Similarly, you shouldn’t use all-numeral strings like your license plate number or your Social Security number.

Other password types that are too easy for hackers to figure out include single words preceded or followed by a single numeral, punctuation mark, or symbol. You should also avoid words or phrases with all of the vowels deleted. And refrain from using words or phrases that don’t mix upper and lowercase, or don’t mix letters with numbers or punctuation. Finally, avoid using any word that exactly matches a word in the dictionary (whether it’s spelled forward or in reverse, pluralized, or with some or all of the letters capitalized). Avoid all predictable password-composing formulae to minimize the changes of a hacker cracking your passwords. 

3. Repeating the same password

Employees all working in the same room

Reusing and repeating passwords is another big mistake when it comes to online security | iStock.com

A password mistake to avoid making is repeating the same password across apps, websites, or services. If one account is compromised, you’ll need to change the password for that specific account. But if you use a unique password for each of your accounts, you won’t have to change them all.

Instead of repeating the exact same password (as some of us are tempted to do), others opt to repeat the same basic password with just a few letters or numbers changed. That’s a poor security strategy, too, since a hacker who gets their hands on one of your accounts may be able to log into others. It’s a good idea to make sure that the passwords for all of your accounts are completely unique and hard to guess. 

4. Choosing passwords that you can’t remember

office work

Choosing passwords that you can’t remember can be a mistake, depending on the circumstances | iStock.com

Using a great password manager will generally exempt you from having to remember most of your passwords, which is a great benefit, since you’ll be able to use more complicated passwords to protect important accounts. But for passwords that you routinely need to enter, it’s a great idea to create passwords that you can remember — so long as you don’t take that as an excuse to choose short or otherwise insecure passwords.

A common tactic is to choose a memorable phrase, and then to use a combination of numbers, letters, and symbols to create a unique version of it. You can combine two unrelated words, pick an acronym for a quote or phrase, choose a deliberately misspelled term, or pick a phonetically pronounceable nonsense word. It’s smart to pick a phrase that you’ll mentally associate with the app or service in question. From there, you can alter the phrase with numbers and symbols. It may not seem obvious why you’ll need passwords that you can remember, which brings us to our next point.

5. Writing your passwords down

Office workers writing in notebooks

Writing your passwords down on paper is a major security mistake | iStock.com

Even when you create a strong, unique password that follows all of the best practices, you’ll immediately negate those efforts if your next step is to write the password down in a notebook or put it on a Post-It note next to your computer. Sure, a hacker who’s remotely accessing your system won’t be able to find your passwords if they’re written down on paper. But a password notebook puts you at risk if you have snooping relatives or even a burglar in your house.

A much better alternative to writing your passwords down on paper is to use a password manager instead. A password manager will not only help you generate strong passwords, but will also save your passwords for you. The only password you’ll need to remember is the one you’ll use to unlock the password manager. Using a password manager will help you stop worrying about remembering all your passwords. And you can use the software to generate extremely strong passwords without spending lots of time thinking about it. 

6. Forgetting about your email password

Man on his desktop computer

Neglecting to update and secure your email password can have a major detrimental effect on your online security | iStock.com

All of your passwords are important, but that goes double for the password that you use to protect your email address. You may think that the passwords for your bank account or your credit card may be the most important password to update and protect. But one of the most critical is actually the one that secures your email address, since anytime you need to reset the password for any of your other accounts, the message that enables you to do so will go to your email inbox.

Choosing a secure password for your email, and changing it regularly, is an important step. It’s critical not only for protecting your email account and all of the personal data it contains, but also for protecting the rest of the accounts that are associated with your email address. If someone gets into your email account, they can likely go around and reset the passwords of any number of your other accounts.

7. Never changing your passwords

man rubbing his eyes while he works on a laptop

Never changing your passwords is a bad security move | iStock.com

Creating and securely saving strong passwords is great, but it does you no good if you create a password and then never change it. People who regularly change their passwords — following recommendations to change them every six months, every three months, or even more often — tend to make them less secure. (All that password creating can take a toll on your password-related creativity.) You don’t need to change your passwords on a schedule. But if your account has been affected by a data breach, that’s a great time to change the associated password.

Another good time to change a password? If you realize that you haven’t changed said password in years. Especially if you’ve been using the same password for years, that password probably doesn’t follow all of the guidelines for strength and security. Safeguard your privacy by changing your passwords at least occasionally and making sure that they’re all as secure as you can make them. And while you’re at it, make sure that the other security features of your accounts are updated. You can do this by turning on two-factor authentication or making sure that your security questions don’t have answers that hackers would find it easy to guess.