The Most Common Password Mistakes and How to Avoid Them

Weak passwords cause over 80% of data breaches, with short and repetitive passwords being easily cracked. Many users reuse breached or predictable passwords. Hostinger advises using passwords at least 12 characters long, mixing character types, avoiding repetition, and regularly checking breaches via tools like “Have I Been Pwned.” Continuous vigilance and two-factor authentication are essential for ongoing online security.

Weak passwords remain a critical vulnerability in cybersecurity, accounting for over 80% of data breaches globally. According to recent reports, compromised credentials contribute to more than 60% of hacking-related incidents, leading to significant financial and reputational damage for individuals and organisations alike. 

To better understand why so many passwords fail to provide adequate protection, experts at Hostinger analysed thousands of real-world passwords across multiple leaked datasets, encompassing millions of compromised credentials worldwide. Using advanced machine learning techniques combined with behavioural analysis, the study identifies the most frequent password mistakes and explains why users continue to make these errors despite widespread awareness of cyber risks.

Egidijus Navardauskas, Head of Security at Hostinger, emphasises the need for continuous attention to online security. He states, “A lot of people assume that once they’ve set up their privacy settings or chosen a strong password, they’re fully protected. But the truth is, security and privacy are ongoing processes. New threats and vulnerabilities appear constantly, and the platforms we use are always evolving. Staying safe means staying alert — regularly reviewing your privacy settings, keeping your passwords strong and unique, and making sure two-factor authentication (2FA) is active are just as important as the initial setup. Security-related settings should be maintained over time to ensure they still reflect your needs and provide the right level of protection.”

Why “Unique” passwords may not be secure

Using short passwords
Insight: 21.7% of the passwords analysed were under 8 characters – all were cracked instantly.
Why it happens: Short passwords are quicker to type and easier to remember. But they are also the first to fall to brute-force attacks.
What you can do now: Make sure your password is at least 12 characters long, ideally using a phrase or sentence you’ll remember.

Using “Unique” passwords
Insight: Passwords that appear unique (such as “minebluecar67”) often come from low-entropy patterns that are easy to break.
Why it Happens: People choose familiar word-number combinations, thinking they are safer than generic passwords. But these formats are highly predictable.
What you can do now: Mix uppercase, lowercase, numbers, and special characters, and avoid common words or patterns.

“Very Weak” doesn’t always mean “Short”
Insight: Some passwords over 20 characters had a 13% crack rate, making them nearly as easy to break as shorter passwords.
Why it happens: People assume longer passwords are automatically stronger, but repetition lowers security (for example, “aaaaaaa” or “123123123”).
What you can do now:Avoid repetition. Variety in structure is as important as length.

Not knowing breached passwords
Insight: Many passwords still appear in the top 10 million most leaked passwords. In the study, 475 passwords matched frequent entries from global breach lists.
Why it happens: People are unaware their credentials have been compromised or reuse old passwords out of habit.
What you can do now: Use sites like “Have I Been Pwned” to check credentials regularly and avoid reusing any password that appears on known breach lists.