Common password mistakes you're making that could get you hacked

by Jennifer Earl, CBS News

It’s hard to memorize passwords as you juggle dozens of apps — whether you’re logging in to stream your favorite show, view your medical records, check your savings account balance or more, you’ll want to avoid unwanted prying eyes.

You may be tempted to create the same easy password for every site, but that could leave you vulnerable to potential hacks which could end up draining your bank account.

In 2022, consumers reported being cheated out of around $8.8 billion due to fraud — a 30% increase from 2021, according to newly released Federal Trade Commission data. Roughly 2.4 million consumers reported cases of fraud to the FTC, with investment and imposter scams topping their list of complaints. The agency recently shared the top scams of 2022.

3 password mistakes to avoid

Creating strong passwords is one of the best ways to protect your accounts and keep hackers at bay. The first step toward protecting your digital footprint: reevaluating your passwords. Here are some common mistakes you may be making.

1. Setting simple passwords

The password '123456' topped a recent list of most common passwords in 2022. GETTY IMAGES/ISTOCKPHOTO
The password ‘123456’ topped a recent list of most common passwords in 2022. GETTY IMAGES/ISTOCKPHOTO

Easy number password note stick on smartphone, keyboard. The password “123456” topped a recent list of most common passwords in 2022.

When it comes to keeping your online accounts safe, simplicity isn’t key.

“There are several common mistakes people make with their passwords. For example, using a simple or short password such as a word or name, a sequence of numbers, or combination of these, can be easily guessed by malicious attackers,” David Bader, distinguished professor and director of the Institute for Data Science at the New Jersey Institute of Technology, told CBS News.

Bader said one of the most common passwords is “abc123,” which is a prime example of a password you should never use. While it may be easy to remember, it’s also easy to guess.

That’s even more sophisticated compared to what password manager NordPass has found. In 2022, NordPass released its top 200 most common passwords list, crowning “password” as the top used. Numerical lists “123456” and “123456789” followed, along with “guest” and “qwerty.”

“This is why many sites now require setting passwords longer than a certain length such as eight or more characters, and using a combination of letters, numbers and special characters such as ‘!@#$%^&*()?,’” Bader explained.

2. Repeating passwords

Cybersecurity experts warn users from inserting the same password across multiple accounts, especially if it's been flagged in a security breach. GETTY IMAGES/ISTOCKPHOTO
Cybersecurity experts warn users from inserting the same password across multiple accounts, especially if it’s been flagged in a security breach. GETTY IMAGES/ISTOCKPHOTO

Cybersecurity experts warn users from inserting the same password across multiple accounts, especially if it’s been flagged in a security breach.

Repeatedly using a simple password is bad, but regurgitating that same simple password across multiple apps and sites is even worse.

“This is like putting the same lock on every door in your neighborhood. If one is compromised, then the entire group is compromised,” Bader cautioned.

An estimated 64% of people have reused a password that had been compromised in a breach, computer security service SpyCloud stated in its 2022 annual identity exposure report.

“If a site has you change to a new password, do not reuse any previous passwords as they may have already been stolen,” Bader said, encouraging people to update their passwords at least every 90 days.

3. Sharing passwords

Netflix cracks down on password sharing

Password sharing has become increasingly popular among streamers. Netflix estimates more than 100 million households are sharing Netflix passwords. By the end of March, Netflix will start to use a customer’s geographic location — based on their connected IP address and other signals — to determine the primary household and help curb outside use.

While it may seem harmless to swap passwords with friends and family, it’s risky.

“Never email or share your passwords with anyone. No legitimate organization will ever call you up and ask for your password either. So if you receive a call from tech support claiming to need this information for one of your accounts, simply hang up the phone,” Bader said.

How to keep your passwords secure

Diversifying passwords, creating more sophisticated combinations and keeping them private are solid ways to keep your accounts secure. Additionally, you can enable backup security measures like two-factor authentication, prompting you to enter a second code and your password before gaining access to an app.

“Two-factor authentication for Apple ID is a must, the second factor should be a separate trusted device (like an iPad, a Mac, or an Apple Watch),” Vitaly Shmatikov, a professor of computer science at Cornell University and Cornell Tech, told CBS News.

Just don’t use SMS text messages as your backup, Shmatikov suggested. “Instead, use an authenticator app (like Google Authenticator, Microsoft Authenticator, Duo, Okta Verify, etc.) and turn on biometric protection — require Face ID or Touch ID — in the authenticator app. Then a thief who steals your phone won’t be able to get authentication codes and log into financial sites as you.”

You may also want to consider using a password manager or password vault, which can recommend and store passwords for you, though even those tools occasionally flag security incidents.

“I recommend using a secure password vault to store potentially hundreds of passwords for the sites you use, and many password vaults available today will also suggest strong passwords that would be hard for an attacker to guess,” Bader said.

https://www.cbsnews.com/news/common-password-mistakes-people-expert-advice/

David A. Bader
David A. Bader
Distinguished Professor and Director of the Institute for Data Science

David A. Bader is a Distinguished Professor in the Department of Computer Science at New Jersey Institute of Technology.