Weak passwords remain one of the biggest drivers of data breaches, with over 80% of incidents linked to compromised credentials.
To better understand why so many passwords fail to offer real protection, Hostinger’s experts analyzed thousands of real-world entries across multiple leaked datasets. Using a combination of machine learning and behavioural analysis, we identified the most common password mistakes and why users keep making them.
Here are the top mistakes identified:
1. Using Short Passwords
Insight: 21.7% of the passwords we analyzed were under 8 characters – all of them were cracked instantly.
Why it Happens: Short passwords are quicker to type and easier to remember. But they’re also the first to fall to brute-force attacks.What You Can Do Now: Make sure your password is at least 12 characters long, ideally using a phrase or sentence you’ll remember.
2. Using “Unique” Passwords
Insight: Passwords that look unique (like “minebluecar67”) are often made from low-entropy patterns that are easy to break.Why it Happens: People choose familiar word-number combinations, thinking they’re safer than generic passwords. But these formats are highly predictable.
What You Can Do Now: Mix uppercase, lowercase, numbers, and special characters, and avoid common words or patterns.
3. “Very Weak” Doesn’t Always Mean “Short”
Insight: Even though some of these passwords were over 20 characters long, they had a 13% crack rate, making them nearly as easy to break as much shorter passwords.Why it Happens: People assume longer passwords are automatically stronger, but repetition lowers security (like “aaaaaaa” or “123123123”).
What You Can Do Now: Avoid repetition. Variety in structure is just as important as overall length.
4. Not Knowing Breached Passwords
Insight: A large portion of passwords used today still appear in the top 10 million most leaked passwords. In our study, 475 passwords matched high-frequency entries from global breach lists.
Why it Happens: People aren’t aware their credentials have been compromised, or they reuse old passwords out of habit.What You Can Do Now: Use sites like “Have I Been Pwned” to regularly check your credentials and avoid reusing any password that appears on a known breach list.
“A lot of people assume that once they’ve set up their privacy settings or chosen a strong password, they’re fully protected. But the truth is, security and privacy are ongoing processes. New threats and vulnerabilities appear constantly, and the platforms we use are always evolving. Staying safe means staying alert — regularly reviewing your privacy settings, keeping your passwords strong and unique, and making sure two-factor authentication (2FA) is active are just as important as the initial setup. Security-related settings should be maintained over time to ensure they still reflect your needs and provide the right level of protection.”
