What Are the Biggest Password Mistakes Employees Make? (and How to Avoid Them!)

Can you remember back when you had to create your very first password? It was probably something like your pet’s name or a favorite flower. It was also probably fairly weak by today’s standards and easy to hack.

Unfortunately, while time has changed the cybersecurity landscape into one that contains more advanced threats than ever, it hasn’t changed our bad password habits.

Many employees still use passwords that use personally identifiable information and are easy for hackers to guess. Only now login credentials are one of the most popular commodities on the dark web and weak or stolen passwords account for a majority of the data breaches that companies are victim to.

81% of data breaches are due to poor passwords.

Companies employ many IT security strategies to combat breaches of their network and devices, such as a firewall, anti-phishing application, antivirus, and web application protections. But, if a hacker has your login password, they can often slide right past all that security, because the system thinks they’re you.

Fixing Bad Password Habits 

Bad password habits have something in common, a lot of people seem to fall into them. Let’s take a look at what people are doing wrong when it comes to their login credentials and how to avoid it.

Using Weak Passwords

The biggest problem with passwords is that users tend to make them too easy so they can remember them. The list of the 10 most common passwords is in the hacker’s training manual and it includes passwords like:

  • 123456
  • 123456789
  • qwerty
  • password (yes, it’s the 4th most popular!)
  • 111111 (really?)
  • abc123

Weak passwords make a hacker’s job too easy.


Requiring strong passwords can help prevent employees from making them too easy to guess. Programs like Office 365 and other cloud services allow you to set up password security policies that will reject passwords that are too simple and force strong password creation.

Strong password policies include:

  • Long passwords (at least 7-10 characters minimum)
  • Both upper and lower-case letters
  • A combination of letters, numbers, and symbols

Using the Same Password for Multiple Logins

A typical password is used an average of 5 times for different logins. Users tend to use a rotating list of a few passwords and then reuse then over and over again. This is dangerous because it means that a hacker only has to breach one login to gain entry to multiple applications.

For example, say you shopped at CafePress (who had a data breach in 2019) and used that same email and password on that site as you do for your company’s Office 365 application. Once CafePress had a breach, those login credentials were fair game on the Dark Web, and you better believe that hackers are trying them everywhere, because they know users reuse passwords in other places.


Users tend to use the same passwords because remembering unique passwords that are also considered strong for every single login is nearly impossible. This is where the use of a password management application can help significantly.

With a password manager, you only have to remember a single strong password, and the application stores all your other passwords in a vault and will help you create long and complex passwords for every login. Use the master password to gain access to all the others.

Sharing Passwords with Colleagues

No matter how much you trust your co-worker, sharing your passwords is a really bad habit. But 69% of employees say that they’ve done just that. 

While your colleague may be trustworthy, what happens if they write down your password and that sticky note is found by someone else? Just remember, anyone using your password looks like you in any application activity logs.


This is one of those bad habits that can’t be fixed with an application, employees need to be warned of the dangers of sharing their passwords. If you have a policy in place that forbids password sharing, make sure your employees know. It also helps to remind them that any activities can be recorded in application logs, so whatever someone does on their login is under their name.

Writing Down a Password and Sticking it to a Device

If your laptop is lost or stolen and you have your computer login taped to the bottom, that’s a gift to the thief. 38.6% of users write their passwords down on paper, which makes them very easy to be compromised whether it’s at their desk or on the road at a trade show.


One way to combat compromised passwords is to enable multi-factor authentication (MFA) for all your business application logins. This is a safeguard that keeps someone out even if they know the username and password.

MFA requires another factor of authentication, such as a PIN sent to your phone via SMS or a USB token device. Without that second authentication factor being used, a hacker with a password can’t get in to compromise your data.

Get a Free Security Assessment Today!

Don’t leave your company vulnerable to a data breach, find out how strong your data security strategy is and get insight into what can make it stronger. Technology Visionaries can provide you with a full comprehensive report giving you valuable insight into your IT security.

Schedule your free security assessment by calling us at 732-587-5960 or using our contact form.