Data breaches expose billions of passwords every year, and researchers who study these leaks see the same patterns over and over. Here are the seven most common mistakes — and what to do instead.
This is the big one. When one service gets breached, attackers immediately try your credentials on every other platform. It's called credential stuffing, and it's automated — bots can test thousands of sites within minutes. One weak link compromises everything.
Fix: Use a unique password for every account. A password manager makes this painless.
An 8-character password using all character types has about 6 quadrillion combinations. That sounds like a lot — until you realise that modern GPU rigs can test hundreds of billions of guesses per second. That 8-character password could fall in under a day. Bump it to 16 characters and you're looking at millions of years.
Fix: Use at least 16 characters. 20+ is ideal.
Attackers don't just try random combinations — they start with dictionary attacks. Every word in every language, plus common names, places, and pop culture references. sunshine, dragon, football, and princess appear in almost every breach list.
Fix: If you want something memorable, use our pronounceable generator — it creates syllables that sound like words but aren't in any dictionary.
Swapping a for @, e for 3, or s for $ feels clever, but attackers have been wise to this for decades. Every modern cracking tool tries these substitutions automatically. P@$$w0rd is cracked just as quickly as Password.
Fix: Let a generator create truly random passwords instead of trying to outsmart the system yourself.
Your surname, your birthday, your pet's name, your car's number plate — all of this is either publicly available or easily guessable. Targeted attacks start by gathering personal details from social media and then generating password lists based on those details.
Fix: Your password should have zero connection to your life. Use randomly generated characters or syllables.
Breaches happen constantly, and your email might already be in multiple leaked databases. If you don't check and change compromised passwords, attackers can use them months or even years later.
Tip: Visit Have I Been Pwned and enter your email address. It will show you every known breach your accounts have appeared in. Change those passwords immediately.
Even the strongest password in the world can't protect you if the service itself gets breached and stores passwords badly. Two-factor authentication (2FA) adds a second layer — usually a code from your phone — that an attacker can't get even if they have your password. Enable it on every account that supports it, especially email, banking, and social media.
Fix: Use an authenticator app (like Google Authenticator or Authy) rather than SMS where possible, as SIM-swapping attacks can intercept text messages.
Break the habit — generate a strong, unique password right now.
Open PasswordBuddy Generator