Despite all the hacks and data breaches that fill the headlines, many of us still use weak passwords to protect work and personal accounts. One reason this problem persists is that the difference between good and bad passwords is not always clear. What is a bad password, and how can you avoid using one?
11 Common Bad Password Mistakes
Creating a bad password is easy since most examples of bad passwords suffer from oversimplification, duplication, or both. The best way to ensure you’re always using strong and unique passwords is to avoid these common mistakes.
Want to learn more about using Dashlane Password Manager at home or at work?
Check out our personal password manager plans or get started with a free business trial.
Password creation mistakes
- Familial names: Information like first names, kids’ names, and even pet names finds its way into passwords frequently because it’s easy to remember. Since this identifying information can also be found on your mail and often online, be sure to omit it from your passwords.
- Personal information: Additional personal information like addresses, phone numbers, and birthdays can also provide a starting point for a hacker attempting to guess your password, so the safest practice is to leave out anything related to identity.
- Preferences: Social media accounts are another source of identifying information. If you include preferences like favorite sports teams and vacation destinations in your passwords, they can become a trail of breadcrumbs between your social media accounts and your secure credentials.
- Simple sequences: Simple strings of numbers like 12345 or 56789 are far too basic and easy for others to guess to ever be used in a strong password—or even part of one.
- Predictable characters or dictionary words: Predictable characters in a row, such as “qwerty,” or common dictionary words, especially “password,” should be avoided. Instead, include a variety of symbols in your password, such as uppercase letters, lowercase letters, numbers, and special characters, to strengthen password security. You should also insert special characters and uppercase letters into the middle of the password, not just the beginning or end.
- Short, non-complex passwords: According to the Center for Internet Security (CIS), length is the most important aspect of a good password. Sophisticated hacking tools can crack short (8 characters or fewer) passwords in less than three seconds, but this time increases exponentially with each additional character.
Password habit mistakes
- Reused passwords: No matter how long, complex, or unique they are, passwords reused on multiple accounts instantly become bad passwords since you’re exposing multiple accounts to cybercriminals.
- Physically stored passwords: One of the best ways to protect your password is to ensure no one else has (or can get) access to it. This rules out sticky notes, scraps of paper, and other antiquated physical storage methods.
- Not changing your passwords after a data breach: Resetting passwords at regular, preset time intervals is no longer a recommended best practice, but you should always change passwords after a data breach involving those passwords.
- Passwords stored in a browser: Storing passwords in internet browsers is never a good idea since passwords saved in browsers aren’t typically protected with encryption to scramble them and make them unreadable to hackers. And, if your device is lost or stolen, your passwords are exposed to whoever accesses that device next.
- Unsecurely shared passwords: Sharing passwords is a common practice, particularly for things like online subscriptions and retail accounts. Unless you’re using a password manager with a secure sharing portal, your information becomes vulnerable if someone you’ve shared with is impacted by cybercrime.
10 common bad password examples
There’s no shortage of bad password examples demonstrating one or more password creation mistakes. Perhaps it’s no coincidence that many commonly used passwords are also commonly breached. Our bad password list provides some great examples of what not to do.
Password: This unimaginative password is the #1 most commonly used today. It should not be surprising to learn that it’s also the most commonly hacked.
- 123456: This second most commonly used password not only lacks originality but relies on the simple sequences and sequential characters that top our list of mistakes.
- Qwerty123: This password does combine letters and numbers, but it’s still extremely weak due to the common, predictable order of those letters and numbers.
- LoveAngel: Terms of endearment are another characteristic that can land a password on the most frequently hacked list. This example, combining two such terms, is neither random nor complex.
- Sharon481982: This example shows some improvement in randomness and character count, but the presence of a first name and birthdate places it squarely in the bad category.
- 121CedarLn: Who knows just how many residents of various cities and towns share this familiar address, but using it as your password certainly narrows the possibilities.
- MiloIsAGoodDog: But unfortunately, he makes a bad password since information like pet names can be found on social media accounts. You need to omit Milo, Polly, and even Whiskers from your password.
- #1SteelersFan: Preferences like sports teams and hobbies can tip off a hacker and give them obvious passwords to guess. It’s better to leave them out.
- RedFerrari: While there are thousands of red Ferrari owners in the world, thousands more are using this common and utterly predictable password.
- Solarwinds123: If you think using “solarwinds123” as your password when you work for an IT firm called SolarWinds is a bad idea, you’re right. So bad, in fact, that this bad password allowed hackers to spy on federal agencies as part of a security breach that went undetected for months. Never use your company’s name in a personal or professional password.
One factor that always makes passwords easy to guess (or hack) is how common they are. That’s why we’ve compiled a list of the most commonly used passwords. See if your passwords are on the list.
The risks of having a bad password
While some of the examples on our bad password list might be amusing, they can also introduce cybersecurity risks and create other inefficiencies for computer users and IT teams. The risks introduced by weak, repetitive, or poorly protected passwords include:
When sensitive information like login credentials, account information, or intellectual property (IP) is compromised in a security incident, this is classified as a data breach. Common hacking tactics used to gain unauthorized access to a device, server, or account include:
- Brute-force attacks: Endless random combinations of usernames and passwords are entered with the assistance of a computer program until a match is found. Common passwords like “123456” or “Password” make us more susceptible to this tactic since the algorithms used by hackers can easily guess them.
- Phishing: Misleading emails disguised as urgent requests from reputable companies ask us to respond with passwords, account numbers, or other confidential information. Some also include links to dangerous malware or spyware. Slightly altered company URLs, misspellings, and grammatical errors are some of the telltale signs of a phishing email.
- Credential stuffing: This method uses automated software to cycle through username and password combinations stolen during a data breach. Although this tactic has a low success rate, bad passwords and reused passwords increase the hacker’s odds. Password managers and 2-factor authentication (2FA) provide a solid defense against credential stuffing by improving password strength and preventing unauthorized users from logging in.
Information on the dark web
If your password has been compromised and your information was leaked, you may not be aware of it until your information is shared or sold illegally. Dark web monitoring is used to scan the depths of the internet for your personal information and alert you when your password or account details are detected and need to be changed.
More than one-third of computer users reset their passwords roughly once a month, while another 15% change passwords multiple times each week. Bad passwords and poor password storage habits can lead to set-forget-reset loops that spiral into progressively weaker and more commonly reused passwords as we quickly create replacement credentials.
Hard-to-maintain access control and visibility
Bad passwords and unsafe password habits can weaken cybersecurity for businesses and make it difficult to manage employee access controls. Shared or improperly stored passwords might be retained by employees who leave the company, while weak passwords make the company more vulnerable to common hacking tactics.
Poor overall cyber health
Bad passwords directly contribute to poor password health. This metric is determined for companies or individuals based on the number of weak, reused, or compromised passwords they’re using. Password managers provide a password health score that features a real-time scorecard, helping you identify password weaknesses and track your improvement over time.
How Dashlane keeps your passwords safe
Dashlane Password Manager includes features and tools to ensure you never end up on the bad password list. Easily generate, store, and autofill strong passwords securely with AES-256 encryption and zero-knowledge architecture. Use 2FA to safely access your passwords, your password health score to track your password strength, and dark web monitoring to identify if your information has been leaked on the dark web.
Sometimes, we can get in our own way when it comes to password security, so why not leave it to the experts? Quickly and easily generate a super strong password with this free password generator.
- IEEE, “Personal Information in Passwords and Its Security Implications,” May 2017.
- Dashlane, “How To Remember Hard-To-Remember Passwords,” November 2022.
- Dashlane, “How Strong Is Your Password & Should You Change It?” August 2022.
- Georgetown University, “With Passwords, Size Matters,” 2023.
- Dashlane, “How to Stop Reusing Passwords for Good,” January 2020.
- Dashlane, “Always Change Your Passwords After a Breach,” March 2020.
- Dashlane, “How to Erase Saved Browser Passwords: Step-by-Step Guide,” November 2022.
- Dashlane, “Share your saved items in Dashlane,” 2022.
- Safety Detectives, “20 Most Hacked Passwords in 2023: Is Yours Here?” January 2023.
- Dashlane, “10 Most Common Passwords (Is Yours on the List?)” November 2022.
- Simplemost, “Find out if you are using the most hacked passwords,” February 2022.
- CNN, “Former SolarWinds CEO blames intern for ‘solarwinds123’ password leak,” February 2021.
- Dashlane, “What the Hack is a Brute Force Attack?” February 2020.
- Dashlane, “Don’t Take the Bait — Password Managers Can Help Shield You From Phishing Attacks,” November 2020.
- Dashlane, “What is Credential Stuffing?” September 2020.
- Dashlane, “3 Strategies to Prevent Breaches and Hacks at Work,” September 2021.
- Incognia, “What are the Key Differences between 2FA and MFA?” 2022.
- Dashlane, “How to Shine a Light on the Dark Web,” June 2022.
- Statista, “Frequency of resetting passwords worldwide in 2022,” May 2022.
- Dashlane, “Everything You Need to Know About Your Password Health Score,” 2023.
- Dashlane, “It’s the Most Unsecure Time of the Year: Worst Password Offenders 2021,” December 2021.
- Dashlane, “Putting Security First: How Dashlane Protects Your Data,” January 2023.
- Dashlane, “Resist hacks by using Dashlane’s password generator tool,” 2023.