All of us are probably currently using passwords that hackers would love if they ran across them.

If you use the internet at all, you have multiple passwords to juggle. And, whether it’s business or personal, it’s easy to get lazy, develop bad habits, or fall into the “it won’t happen to me” trap.

One of the key tests to see if your passwords…all your passwords…are as good as they can be is to forecast the reaction you would have if you were hacked. If you know you’d be kicking yourself and saying, “Why did I do that? I should have known better!”, then it’s time to re-visit your current password habits.

What are the mistakes that hackers love most? Here’s a list…

1. Using strong passwords for just your “important” accounts.

We all tend to focus our best security efforts on the accounts that we perceive to be the most valuable. Bank accounts, financial accounts, tax accounts, business accounts, etc. most often get priority attention, while Facebook, Instagram, hobby accounts, and club memberships most often get the least. No matter the perceived value of an account they should all receive your best password security efforts. Often a breach in one can lead to a breach in another.

2. Using personal information in your password.

Passwords don’t have to be complicated to be strong, they just need to be hard to figure out. When you use personal information, you make it easier for hackers to crack your code and hand over a bridge to figure out your other passwords.

Don’t use your name, your kid’s name, your birthday, your mother’s maiden name, your street name, or other personal information clues.

You can still use clues that help you remember, just don’t use personal info. Try using instead favorite movie characters, a song title from high school, a menu item you loved on a vacation you took, your favorite vintage TV show.

3. Being short and sweet.

Short, easy passwords are the easiest to crack. “Bluemoon25” is much easier to break than “$DarkBlue%Moon25$. Avoid using well known phrases and symbol replacements for letters. For example, SurfsUp33 is weak. $urf$Up33 isn’t much better.  

Your password should be at least 25 characters and should include a combination of letters, numbers, and symbols.

The good news is most websites compel you to use certain length and composition minimums for your password to qualify. Make sure your older accounts are updated to these standards.

4. Re-using the same password for different accounts.

This is something most of us are guilty of. We come up with a password we like and remember, and we lean on it for account after account. Or, we use the same password but vary it slightly by changing a number or symbol at the end to mix things up a bit. This practice makes it easy for hackers and hacking software to figure out your password and do more widespread damage.

The solution? Choose unique passwords for each account. That may seem like a tall order, but there are multiple password management solutions available these days to help you maintain the list.

5. Not using multi-factor authentication services when offered.

Multi-factor authentication provides additional protection by requiring another layer of verification beyond your username and password. This is usually accomplished by an additional numerical code sent to your email or phone number. You can’t add this service yourself, it’s offered by many (but not all) sites on the internet. Although it adds an extra step to the sign in process, it offers more protection, and you should elect to use it whenever possible.

6. Not utilizing password management tools.

Password managers can be invaluable aides in the quest to strengthen your password game. They can help you create strong passwords in the first place, then assist you in keeping track of them all. They can auto-fill your passwords in the designated account, so you don’t need to remember them all. Many password managers can even help you avoid phishing attempts by refusing to auto-fill when they recognize an issue.

There are several password managers available to business and personal users. Consult with your IT provider to determine which one is best for your needs.

7. Not taking an active and ongoing role in your own password protection.

It’s easy to get complacent about your passwords. You probably set most of them years ago and moved on. You probably were offered multi-factor authentication, but clicked “remind me later” and moved on. Hackers, on the other hand are busy and active, constantly trying new techniques and employing new technologies. You need to be active as well. Review and update your weak passwords, sign up for multi-factor authentication, get a password manager, consider new technologies that are introduced.

The good news is, if you’re using a strong password, multi-factor authentication, and a password manger you shouldn’t need to constantly change your passwords every few months like what used to be recommended. The challenge is to get all your passwords on that level.