“Hackers Love It” When You See These 6 Biggest Password Mistakes, Says Security Expert
The increase in cyberattacks in 2022 has created a high-risk internet landscape. But for many people, hitting “refresh” their password habits is still not a priority.
As a cybersecurity advisor, I constantly hear stories of people having their personal information stolen because they made a simple mistake, like using the same password for multiple logins to a website.
After 20 years of studying online criminal behaviors, tactics, techniques, and procedures, I’ve discovered that hackers love it when people make these six password mistakes:
1. Reuse the same password.
To avoid creating an entirely new password for each account, people also tend to reuse passwords with slight variations, such as an extra number or symbol. But these are also easy for hackers to guess, and they don’t match software designed to quickly test your password iterations.
What to do: Develop unique passwords for each of your accounts. Although it may seem daunting, password managers can be a great help in designing and organizing your password library.
2. Only create unique passwords for “high risk” accounts.
Many users only create unique passwords for accounts they believe contain sensitive information or are more susceptible to hacking, such as online banking or work apps.
But even basic user information that resides on “disposable” accounts can contain data points that fraudsters use to impersonate legitimate users. Only your email address or phone number can be valuable to malicious actors when combined with information stolen from other breaches.
What to do: Protect all accounts, even those you rarely use, with unique passwords.
In addition to multi-factor authentication, password managers are essential technologies that can reinforce smart password habits.
These managers can help you create unique, one-time passwords and autofill them into the accounts they’re linked to – a big step ahead of the 55% of users who manage passwords by memory alone.
Even if you accidentally click on a phishing link, your password manager may recognize the gap and choose not to autofill.
What to do: Choose a password manager that matches your personal comfort level and technology needs. A few credible choices that are consistently well-reviewed include 1Password, Bitwarden, Dashlane, and LastPass. Although they all offer similar features, each differs in their extensive functionality and cost.
4. Create simple passwords containing personal information.
The best passwords are not necessarily complex, but they are hard to guess. Passwords that offer strong protection are personal to you and do not contain easily gleaned information, such as your name and date of birth.
For example, strong password foundations might be the lyrics to a favorite song or your favorite order at a restaurant.
What to do: Design passwords of at least 12 characters and avoid using personal information that can be easily guessed. They should also be memorable to you and contain a variety of characters and symbols.
Even the most complicated passwords can be compromised. Multi-factor authentication creates an additional layer of protection by requiring verification beyond your username and password each time you log in.
Most often, this is done through one-time passwords sent to you by SMS or email. It’s an extra step, but it’s worth it – and it creates another hurdle for attackers to clear.
What to do: There’s no way to add two-factor authentication to services that don’t offer it natively, but you should enable it wherever it’s supported.
It’s easy to think that cyberattacks won’t happen to you. But since data breaches and other cyber threats carry a high risk of identity theft, financial loss, and other serious consequences, it’s best to be prepared for the worst-case scenario.
As long as you’re an internet user, you’ll always be a potential target – and apathetic password habits increase your level of risk even further.
What to do: Don’t assume you are safe. Keep re-evaluating your password hygiene and when new authentication technologies emerge, and adopt them early.
John Shier is a Senior Security Advisor at Sophos and has over two decades of cybersecurity experience. He is passionate about protecting consumers and organizations against advanced threats. John has been featured in publications such as Reuters, WIRED, CNN and Yahoo. Follow him on Twitter @john_shier.