Watch CBS News

Common password mistakes you're making that could get you hacked

CNET editor Dan Ackerman joins "CBS This Morning" with tips for creating strong passwords
How to create strong passwords 03:35

It's hard to memorize passwords as you juggle dozens of apps — whether you're logging in to stream your favorite show, view your medical records, check your savings account balance or more, you'll want to avoid unwanted prying eyes. 

You may be tempted to create the same easy password for every site, but that could leave you vulnerable to potential hacks which could end up draining your bank account.

In 2022, consumers reported being cheated out of around $8.8 billion due to fraud — a 30% increase from 2021, according to newly released Federal Trade Commission data. Roughly 2.4 million consumers reported cases of fraud to the FTC, with investment and imposter scams topping their list of complaints. The agency recently shared the top scams of 2022.

3 password mistakes to avoid

Creating strong passwords is one of the best ways to protect your accounts and keep hackers at bay. The first step toward protecting your digital footprint: reevaluating your passwords. Here are some common mistakes you may be making.

1. Setting simple passwords

Easy number password note stick on smartphone, keyboard.
The password "123456" topped a recent list of most common passwords in 2022. Getty Images/iStockphoto

When it comes to keeping your online accounts safe, simplicity isn't key. 

"There are several common mistakes people make with their passwords. For example, using a simple or short password such as a word or name, a sequence of numbers, or combination of these, can be easily guessed by malicious attackers," David Bader, distinguished professor and director of the Institute for Data Science at the New Jersey Institute of Technology, told CBS News.

Bader said one of the most common passwords is "abc123," which is a prime example of a password you should never use. While it may be easy to remember, it's also easy to guess.

That's even more sophisticated compared to what password manager NordPass has found. In 2022, NordPass released its top 200 most common passwords list, crowning "password" as the top used. Numerical lists "123456" and "123456789" followed, along with "guest" and "qwerty." 

"This is why many sites now require setting passwords longer than a certain length such as eight or more characters, and using a combination of letters, numbers and special characters such as '!@#$%^&*()?,'" Bader explained.

Mark Burnett, author of the book "Perfect Passwords," stressed that password strength grows with length. Every character counts.

"Numbers and special characters don't matter as much if your password is long enough. It is true that having those extra characters in your password will make them stronger, but the longer your password is, the less important they are, and password policies are much simpler without those requirements," Burnett told CBS News.

"I'd rather see a long password with just letters than a short one with a mix of characters," he added.

2. Repeating passwords

Password Box in Internet Browser
Cybersecurity experts warn users from inserting the same password across multiple accounts, especially if it's been flagged in a security breach. Getty Images/iStockphoto

Repeatedly using a simple password is bad, but regurgitating that same simple password across multiple apps and sites is even worse.

"This is like putting the same lock on every door in your neighborhood. If one is compromised, then the entire group is compromised," Bader cautioned.

An estimated 64% of people have reused a password that had been compromised in a breach, computer security service SpyCloud stated in its 2022 annual identity exposure report.

"If a site has you change to a new password, do not reuse any previous passwords as they may have already been stolen," Bader said, encouraging people to update their passwords at least every 90 days.

3. Sharing passwords

Netflix is cracking down on password sharing. What does that mean for users? 05:10

Password sharing has become increasingly popular among streamers. Netflix estimates more than 100 million households are sharing Netflix passwords. By the end of March, Netflix will start to use a customer's geographic location — based on their connected IP address and other signals — to determine the primary household and help curb outside use.

While it may seem harmless to swap passwords with friends and family, it's risky.

"Never email or share your passwords with anyone. No legitimate organization will ever call you up and ask for your password either. So if you receive a call from tech support claiming to need this information for one of your accounts, simply hang up the phone," Bader said.

However, Burnett points out that not every password is the same.

"Regardless of how careless you are with your Netflix password, you should do everything you can to protect your bank, email and other sensitive passwords," he said.

How to keep your passwords secure

Diversifying passwords, creating more sophisticated combinations and keeping them private are solid ways to keep your accounts secure. Additionally, you can enable backup security measures like two-factor authentication, prompting you to enter a second code and your password before gaining access to an app.

"Two-factor authentication for Apple ID is a must, the second factor should be a separate trusted device (like an iPad, a Mac, or an Apple Watch)," Vitaly Shmatikov, a professor of computer science at Cornell University and Cornell Tech, told CBS News.

Just don't use SMS text messages as your backup, Shmatikov suggested. "Instead, use an authenticator app (like Google Authenticator, Microsoft Authenticator, Duo, Okta Verify, etc.) and turn on biometric protection — require Face ID or Touch ID — in the authenticator app. Then a thief who steals your phone won't be able to get authentication codes and log into financial sites as you."

You may also want to consider using a password manager or password vault, which can recommend and store passwords for you, though even those tools occasionally flag security incidents.

"I recommend using a secure password vault to store potentially hundreds of passwords for the sites you use, and many password vaults available today will also suggest strong passwords that would be hard for an attacker to guess," Bader said.

Burnett agreed, "Everyone should use a password manager. If you don't have some way to manage all of your passwords, you will almost certainly be reusing the same passwords and they won't be as strong as they should be."

View CBS News In
CBS News App Open
Chrome Safari Continue
Be the first to know
Get browser notifications for breaking news, live events, and exclusive reporting.