See how fast a hacker could break your password - and learn why it matters.

About This Site 100% Privacy Guaranteed Your password never leaves your browser. Zero data is collected or transmitted.

5 Common Password Mistakes You’re Probably Making

Most people know they should use strong passwords, but surprisingly few actually do. Here are the five biggest password mistakes we see time and again - and straightforward fixes you can apply today.

Mistake 1

Reusing the Same Password Everywhere

Research consistently shows that over half of people reuse the same password across multiple accounts. It makes sense from a convenience standpoint - who wants to remember dozens of different passwords? But it creates a massive vulnerability.

Here is the problem: when a small website or forum gets hacked (and they do, regularly), the attackers grab everyone's email and password combinations. They then try those same credentials on bigger targets - your email, your bank, your social media. This technique is called credential stuffing, and it is devastatingly effective. If you use the same password for a gaming forum and your email, one breach can compromise everything.

The fix: Use a password manager to generate and store a unique password for every account. It is the only practical way to have hundreds of different passwords without losing your mind.
Mistake 2

Using SMS for Security Codes

Two-factor authentication (2FA) is a brilliant extra layer of security, and getting a text message code is certainly better than having no second factor at all. However, SMS is the weakest form of 2FA available. Attackers can use a technique called SIM swapping to convince your mobile provider to transfer your phone number to a new SIM card. Once they have your number, they receive your security codes instead of you.

SIM-swapping attacks are not just theoretical. They have been used to steal cryptocurrency, break into social media accounts and even target business executives. The process is shockingly straightforward for a determined attacker.

The fix: Switch to an authenticator app like Google Authenticator, Microsoft Authenticator, or Authy. These generate codes directly on your device, so they cannot be intercepted. Better still, use passkeys wherever they are supported.
Mistake 3

Ignoring Your Digital Legacy

This one might feel morbid, but it is genuinely important. What happens to your online accounts if you are no longer around to manage them? Photos stored in cloud services, email archives, financial accounts, subscriptions that keep billing - all of these need to be accessible to someone you trust.

Most people never think about this until it is too late. Without access to your password vault, your family could face a long and distressing process trying to recover accounts through customer support, often with limited success.

The fix: Use a password manager that offers emergency access or trusted contact features. Managers like RoboForm and 1Password let you nominate someone who can request access to your vault after a waiting period. Set this up now - it takes five minutes and could save your family enormous stress.
Mistake 4

Picking Predictable Patterns

Adding an exclamation mark at the end of your password, or changing Spring2025 to Summer2025 every few months, might feel like you are being clever. Unfortunately, attackers know these patterns inside out. Modern cracking tools are specifically designed to test these kinds of predictable variations.

Common patterns that give a false sense of security include capitalising the first letter, swapping letters for similar-looking numbers (3 for e, 0 for o), and appending the current year. These tricks are decades old and every password-cracking toolkit accounts for them. Read more about what actually makes a good password.

The fix: Let your password manager generate truly random passwords. If you need one you can remember (like a master password), use a passphrase of four or more completely unrelated words, such as blanket-circus-marble-seven. Check how long yours would take to crack with our password strength checker.
Mistake 5

Saving Passwords in Your Browser

When Chrome, Safari or Firefox offers to save a password for you, it is tempting to click “yes” and move on. Browser password storage is convenient, but it is generally less secure than a dedicated password manager. Browser-saved passwords can sometimes be accessed by anyone with physical access to your device, and they often lack the strong encryption and additional protections that dedicated tools provide.

A dedicated password manager typically requires a master password or biometric authentication every time you access your vault. Browsers, on the other hand, often auto-fill without any additional verification, which means anyone who sits down at your unlocked computer could access your accounts.

The fix: Disable your browser's built-in password saving and switch to a proper password manager. Most managers have browser extensions that work just as smoothly, with the added benefit of proper encryption and cross-device sync. See our password strength tips for more practical advice.

How Many of These Apply to You?

If you recognised yourself in even one of the mistakes above, you are not alone. The good news is that every single one of them can be fixed in an afternoon. Start with the most impactful change - getting a password manager - and the rest will follow naturally. Once your passwords are stored securely, you can update weak ones, enable better 2FA, and set up emergency access, all from one place.

Do

  • Use a unique password for every account
  • Enable authenticator app-based 2FA
  • Set up emergency access for loved ones
  • Use random passphrases or generated passwords
  • Store passwords in a dedicated manager

Don’t

  • Reuse passwords across multiple sites
  • Rely solely on SMS codes for 2FA
  • Ignore what happens to accounts if you are not around
  • Use predictable patterns or common substitutions
  • Save passwords only in your browser

Curious how your current passwords measure up? Test your password strength with our free checker. It is completely private - nothing ever leaves your browser.

Check Your Password Strength

See how long a hacker would need to crack your password. 100% private - nothing leaves your browser.

Test Password Strength