15 Password Mistakes That Put You at Risk

From password reuse to ignoring breach alerts, these are the most common password security mistakes made by Hong Kong users — and the exact steps to fix each one.

Fix most mistakes with a password manager → Guide to Password Security
Common password mistakes to avoid illustration
1Mistakes 1–4

The Four Most Dangerous Password Mistakes

Mistake 1: Reusing the same password across multiple accounts. This is the single most dangerous password habit. When any service you use suffers a data breach — and thousands do every year — attackers immediately run the stolen credentials through automated tools that test them against banking sites, email providers, and social media platforms. If you use the same password everywhere, one breach becomes a total compromise of your digital life. Fix: Use a password manager to generate and store a unique password for every single account.

Mistake 2: Using short passwords. Any password under 12 characters can typically be cracked by modern hardware in hours or days even with full character set complexity. The widespread corporate policy of requiring 8-character passwords with complexity rules was never based on current threat realities. Fix: Use passwords of at least 16 characters — ideally 20 or more for critical accounts. A password manager makes this effortless.

Mistake 3: Using personal information in passwords. Names, birthdays, addresses, pet names, schools, and football teams are the first things attackers try when targeting specific individuals. This information is often publicly available on social media or easily obtainable. A password like "HKLionRock2024!" might seem unique to you but is trivially personalised for an attacker who has done five minutes of research. Fix: Use randomly generated passwords with no connection to your identity.

  • Mistake 1 — Password reuse: Use a manager to generate and store unique passwords for every account
  • Mistake 2 — Short passwords: Use 16+ characters minimum — length is the most important factor in password strength
  • Mistake 3 — Personal info: Avoid names, birthdays, places, and anything publicly linked to your identity
  • Mistake 4 — Keyboard patterns: Avoid "qwerty", "123456", "asdfgh" — these are in every cracking dictionary
  • Common theme: Predictability is the enemy of password security — randomness is what protects you
  • Manager solution: A password manager eliminates mistakes 1, 2, and 3 automatically by generating unique random passwords
How to create passwords that avoid all these mistakes →
Top four most dangerous password mistakes
2Mistakes 5–9

Storage, Sharing, and Management Mistakes

Mistake 5: Storing passwords in plaintext. Notes apps, spreadsheets, text files, and sticky notes are used by far more people than would care to admit it for password storage. Any of these can be accessed if your device is compromised, synced to cloud services where they may be less secure, or physically seen by a third party. Fix: Use only an encrypted password manager for credential storage. Even your phone's Notes app is not an acceptable substitute.

Mistake 6: Sharing passwords via WhatsApp or email. Once sent, a password in a message or email is stored in multiple places, backed up potentially to unsecured cloud accounts, and permanently outside your control. Fix: Use your password manager's built-in sharing feature, which shares access without revealing the plaintext password and can be revoked at any time.

Mistake 7: Using weak security questions. Security questions like "What is your mother's maiden name?" or "What city were you born in?" often have answers that are publicly available on social media or guessable. When used as a password reset mechanism, they become the weakest link in your account security. Fix: Where security questions are required, enter a random password manager-generated string as the answer and save it in your vault — never use the real answer.

  • Mistake 5 — Plaintext storage: Never use notes, spreadsheets, or text files for passwords — use only an encrypted manager
  • Mistake 6 — WhatsApp sharing: Sharing via messages loses all control over the credential — use manager sharing features instead
  • Mistake 7 — Weak security questions: Use random strings as security question answers and store them in your vault
  • Mistake 8 — Browser-only storage: Browser-saved passwords lack master password protection and are vulnerable to infostealer malware
  • Mistake 9 — No 2FA: A stolen password alone can access an account without two-factor authentication — enable it everywhere
  • Fix pattern: Most of these mistakes are solved by properly adopting a dedicated password manager with 2FA enabled
How to share passwords without these risks →
Storage and sharing password mistakes
3Mistakes 10–12

Maintenance and Monitoring Mistakes

Mistake 10: Never checking if passwords have been breached. Billions of credentials are available in dark web markets, and yours may be among them without your knowledge. Many people discover their accounts were compromised only after unauthorised access has occurred. Fix: Use Have I Been Pwned to check your email addresses, enable breach monitoring in your password manager, and subscribe to HKCERT security alerts.

Mistake 11: Ignoring breach notifications. When a service sends you a security notification about a breach, many users dismiss it or delay action, particularly if the service seems minor or unimportant. Attackers count on this delay. A leaked minor forum password that you also used for your email account is extremely dangerous even if the forum itself held no sensitive data. Fix: Treat every breach notification as requiring immediate password change, especially for any site where you may have reused a password.

Mistake 12: Not updating old accounts. Passwords created several years ago were often weaker than current recommendations — shorter, less random, and frequently reused. Many people migrate to a password manager but never go back to update their older existing accounts. Fix: Run your password manager's security audit and systematically update weak and reused passwords, prioritising financial and email accounts first.

  • Mistake 10 — No breach monitoring: Enable HIBP notifications and manager breach alerts for continuous monitoring
  • Mistake 11 — Ignoring notifications: Every breach notification requires immediate action — do not delay even for seemingly minor sites
  • Mistake 12 — Stale old passwords: Run a security audit and update weak passwords from before you started using a manager
  • Annual review: Schedule a yearly password security review to catch accumulating issues
  • Priority accounts: Always address email and banking account compromises within hours, not days
  • Cascade awareness: A seemingly minor breach becomes critical if that password was reused anywhere important
How to check if your passwords have been breached →
Password monitoring and maintenance mistakes
4Mistakes 13–15

Advanced Mistakes Even Password Manager Users Make

Mistake 13: Using a weak master password. Many users adopt a password manager but protect it with a weak, memorable master password that defeats the purpose. If your vault's master password is "MyPassw0rd!" or any short, predictable string, an attacker who targets you specifically can potentially brute-force vault access. Fix: Use a Diceware passphrase of at least four truly random words for your master password — long, random, and unique.

Mistake 14: Not protecting the password manager with 2FA. A password manager without two-factor authentication is protected by only the master password. If that password is obtained through phishing, malware, or shoulder surfing, an attacker has everything. Fix: Enable 2FA on your password manager account — use an authenticator app like Aegis, Authy, or Apple's built-in authenticator rather than SMS-based 2FA where possible.

Mistake 15: Not having a backup or recovery plan. What happens if you forget your master password? What if your 2FA device is lost or broken? What if you die or are incapacitated? Without a recovery plan, your heirs or emergency contacts may be permanently locked out of critical account credentials. Fix: Store your master passphrase in physical written form in a fireproof safe; configure emergency access in your manager; and document which critical accounts exist and their recovery processes.

  • Mistake 13 — Weak master password: Use a four-word Diceware passphrase — the one password you must memorise should be genuinely strong
  • Mistake 14 — No 2FA on vault: Enable two-factor authentication on your password manager account using an authenticator app
  • Mistake 15 — No recovery plan: Write down your master passphrase securely, configure emergency access, and document accounts for heirs
  • 2FA backup codes: Store 2FA recovery codes for your manager in a physically secure location separate from your device
  • Emergency access: 1Password and Bitwarden both offer emergency access features — configure a trusted contact
  • Estate planning: Include your password vault access process in your estate planning documents
Master password best practices for your vault →
Password manager and master password mistakes

Ready to Fix Your Password Mistakes?

A password manager eliminates most of these 15 mistakes automatically — generating unique passwords, monitoring for breaches, and securing your vault.

Find the best password manager for Hong Kong → Guide to Password Security

Related VPN Articles

What Is a VPN?

The complete beginners guide to VPN technology.

How Does a VPN Work?

Encryption, IP masking and data tunnelling explained.

VPN Protocols Explained

OpenVPN, WireGuard, IKEv2 - which should you use?

Best VPNs for Hong Kong

Top-rated VPNs tested for HK users.

VPN for Streaming

Unblock Netflix, Disney+ and more from Hong Kong.

VPN on Public WiFi

Why public hotspots are dangerous and how VPN helps.

Free vs Paid VPN

What you sacrifice with a free VPN.

VPN for Gaming

Reduce lag and access geo-locked games.

VPN for Remote Work

Secure your home office connections.