5 Password Mistakes That Show Up in Every Breach

Have I Been Pwned now indexes more than 13 billion compromised credentials. Despite the variety of source breaches — gaming sites, banks, social networks, dating apps — the patterns of bad passwords are remarkably consistent. The same five mistakes account for the majority of accounts that fall to credential stuffing and offline cracking.

1. Reusing the Same Password Across Sites

This is the single most damaging habit, and the easiest one to fix. When one site is breached and your password leaks, attackers immediately try that email/password pair against banking, email, and shopping sites. Das et al. (2014) found that 43–51% of users reuse passwords across multiple accounts, and a further chunk use trivial variants (password1, password2).

Credential stuffing is now the dominant attack vector cited in Verizon's annual breach reports. The fix is mechanical: a password manager, one unique password per site, no exceptions.

2. Predictable Substitutions and Suffixes

Replacing a with @, e with 3, and tacking !on the end feels clever. Cracking dictionaries have known about it since the 1990s. Hashcat's default rule sets apply every plausible leet-speak substitution and suffix combination in seconds.

P@ssw0rd!, Summer2026!, and Welcome123$ all have an effective search cost of a few thousand guesses, regardless of what an entropy calculator tells you. If a human chose it from a recognisable base word, assume an attacker can derive it.

3. Anchoring on Personal Information

Birthdays, pet names, kids' names, partner's name, favourite team, hometown, current employer. All of it is on social media, in data brokers' files, or in older breach dumps. Targeted attackers (and increasingly, automated tools) build a personal dictionary per victim and try those candidates first.

The pattern is so common that breach analyses consistently find "FirstnameYearOfBirth" near the top of every dump. If a stranger on LinkedIn could plausibly guess the components of your password, it is not random enough.

4. Short Passwords on Anything That Matters

An 8-character random password gives roughly 47 bits of entropy if drawn from lowercase + digits. Modern offline cracking against a fast hash (MD5, SHA-1, NTLM) clears that in under a minute on a single rented GPU. Even against bcrypt, it is hours, not centuries.

Length is the cheapest defence. NIST SP 800-63B sets a floor of 8 characters but explicitly recommends allowing up to 64. For anything you actually care about, 14+ characters of random text or a 5+ word passphrase is the realistic minimum in 2026.

5. Trusting the Strength Meter on the Signup Page

Most websites use a simple character-class meter: it counts uppercase, lowercase, digits, symbols and shows a green bar once you tick all four boxes. Password1! passes most of these. It is also in every breach dump on Earth.

Better meters use zxcvbn or similar libraries that score against real password dictionaries and known patterns. If the meter says "strong" for something you came up with in two seconds, it is wrong. Use a generator instead and bypass the question entirely.

What These Mistakes Have in Common

All five share a single root cause: a human chose the password. Humans are predictable, even when we are trying not to be. We pick familiar words, follow familiar patterns, and reuse what we have already memorised.

The two interventions that fix all five at once are well-known and boring: use a password manager to generate and store random passwords, and turn on two-factor authentication everywhere it is offered. The math behind why this works is settled. The hard part is the habit change.

One Quick Audit

Plug your email into Have I Been Pwned. If anything comes back, the password from that breach is in attackers' hands. If you used it anywhere else — and statistically, most people have — change it everywhere. That ten-minute audit prevents the most common compromise scenario by a wide margin.