Using Personal Information
Birthdates, pet names, spouse names, addresses, and phone numbers feel memorable but are exactly the information an attacker researches first. Social media profiles make this data easily accessible. Any password derived from information about you is fundamentally weaker than a random password, no matter how creative the combination seems.
The False Security of Common Substitutions
Replacing 'a' with '@', 'e' with '3', or 'o' with '0' is so common that attackers build these substitutions into their cracking rules as standard practice. P@ssw0rd and Password are essentially equivalent from a cracking perspective. These tricks feel clever to users but are anticipated by every serious cracking tool.
Storing Passwords Insecurely
Writing passwords on sticky notes, storing them in unencrypted text files, or emailing them to yourself creates security risks. A password manager solves all of these problems with minimal friction.
Ignoring Breach Notifications
When services send breach notification emails, many users ignore them or treat them as low priority. These notifications should trigger immediate action: change that password, check whether you've reused it elsewhere, and monitor the associated accounts for suspicious activity.
Most password mistakes come down to prioritizing memorability over security. Random generation, a password manager, and breach monitoring together eliminate virtually all of these common vulnerabilities.