Top 5 Bad Password Habits

How to avoid bad password haits

Table of Contents

Share this article:

Less than 1 second : that’s how long it will take for a fairly savvy hacker to crack the password “qazwsxedc”. So, more than ever, you need to avoid bad password habits to secure all your accounts online. To help you to spot them, we’ve compiled a list of bad password habits.  

Unfortunately, 2021 statistics show that “123456” was once again the leader in the list of the most common passwords used worldwide. Needless to say, if it requests less than 1 second to guess “qazwsxedc”, it will be even easier to compromise all accounts hiding behind this other example bad password. But what are the practices to avoid when it comes to passwords ?

Mailfence - Get your free, secure email today.

4.1 based on 177 user reviews

A list of bad password habits

An infographic displaying general bad habits of a user when choosing a password for an online account.

1 – Using the same password everywhere

Analysts estimate that some 50% of people on the Internet are still using the same password for all of their logins. This is one of the riskiest things you can do online. Because it’s only a matter of time before one of your online accounts gets compromised. 

And if you use the same keyword across multiple websites, just one website leak will allow a hacker to access to many of your other online accounts. It could be an online store where you have entered your credit card information, your Paypal account, or any other account associated with your money.  

Or alternatively, the cyber pirate would be able to reach an account on which you have entered particularly sensitive confidential information. Access to one of your accounts could also allow them to impersonate you and post hate messages on social networks to damage your reputation.

2 – Never updating passwords 

When was the last time you updated one of your passwords? If you have never done it yet, this is the time to do it. It could be useful to change your password, for example, every once a year, to avoid your account compromises if respective service provider is breached but is not yet aware of it (this practice is only useful if you set a long and complex password with no parts or variations of old password).”

3 – Having too short passwords

Short passwords are easier to guess using brute forcing. It consists of trying all possible combinations of letters until you find the right one. And don’t think that this boring job puts off hackers: they can rely on software to do the job for them! 

Avoid using too common passwords. Even better, use passphrases instead. Indeed, they’re longer and easier to remember.

So don’t do what most people do and refrain from using one of the 200 most commonly used passwords (which are also the worst ones). Also, never use an understandable word (“Dolphin”) or expression (“ILoveYou” or “Ferrari”) : Hackers’ cracking tools are designed to recognize them.

Instead, pick random expressions, combine them with uppercase and lowercase letters, and special symbols such as @ and numbers to create a complex password. Avoid replacing letters with similar symbols or numbers (5 instead of s, or @ instead of a) in an actual word or expression, because their software is programmed to spot them too.

Strong password mailfence blog comic

4 – Storing passwords in the browser

Yes, having all your passwords in your browser is convenient and allows you to connect faster to all your online accounts. But your browser is not a secure place for them.  

First, because most often, you’re connected to them by default. Which means anyone having access to your computer, phone or tablet (when it’s stolen, or hacked) will be too.  

And secondly, because the browser’s owner is more likely to have prioritized your user experience when designing it to convince you to stay with them at all costs and not your data security. So that any vulnerability in the browser/browser extension (plugins/add-on’s) can lead to compromising browser password managers.  

It’s far better to use a password manager instead. The bonus is that password managers comprise many useful features, such as a password generator to help you create strong and unique passwords.  

The same goes for the “remember me” option some websites offer. Here again, it will be very easy for any thief or cyber pirate having access to your computer, phone or tablet to log in this website and do whatever they want to do.  

5 – Sharing passwords too freely

Every one of us had to share one or two passwords at some point with someone else, whether to allow their guests to get their wi-fi at home, their kids to watch a movie on their Netflix account, or a colleague to use software in their company. But ideally, you should not do this frequently and only with people you trust.  

Even better, you should change this password as soon as this person does not need it anymore. 

If you really need to share a password with someone, use a secure way to do it.

How do you communicate a password to someone else that is not in front of you? Email, instant chat, or SMS may seem the perfect way to accomplish this task. The recipient can even copy and paste the password directly to log in!  

Unfortunately, if it is easy for your recipient, it must also be easy for the hacker who managed to intercept your message… So it’s not the best thing to do.  

A better idea is to send the message in two steps (ideally on two different media: an email and an SMS, for example), or, better, to use a secure email using message encryption, like Mailfence.

The Top 10 list of worst passwords examples

As we’ve already seen, once again, 123456 was 2021’s most used password… And it was closely followed by… 123456789. Here is the Top 10 of most common passwords compiled by NordPass, and as you can see, according to our point 2, all are terrible ones :

  • 123456
  • 123456789
  • 12345
  • qwerty
  • password
  • 12345678
  • 111111
  • 123123
  • 1234567890
  • 1234567

And the list goes on and on, with “888888” at the 59th position, “1111111111” at the 114th one, and “444444” at the 199th.

The sesames to access the Ali Baba caves that are your accounts online definitely need more sophistication!

worst password


Passwords are the core authentication layer on all of our accounts. They are also free, easy to create and manage, with the help of a password manager. So it would be a pity to lack such an easy security opportunity with terribly bad habits.

Want to learn more about good password practices? Check this post dedicated to them. And for more tips on security and privacy, you can proceed with our security & privacy awareness course. If it’s too late and your account has been compromised, you must immediately reset your password. Likewise, take these steps if your email has been hacked.

Interested in opening a secure email account using encryption and 2FA to provide maximum security and privacy ? Subscribe to a Mailfence free account. In addition to Mailfence secure email, you’ll enjoy a complete office suite, with a calendar including a poll feature, a group manager and a contact manager, a storage platform and documents manager, and an instant messaging feature, all secure.

Get a free account and reclaim your privacy!

Reclaim your email privacy.
Create your free and secure email today.
M Salman Nadeem

M Salman Nadeem

Salman works as an Information Security Analyst for Mailfence. His areas of interest include cryptography, security architecture and design, access control, and operations security. You can follow him on LinkedIn @mohammadsalmannadeem.

Recommended for you