← Back to BlogPractical Tips

Password Security 101: Why "Password123" Is Still Someone's Password

Password Security 101: Why "Password123" Is Still Someone's Password

Every single year, security researchers publish the list of the most common passwords found in data breaches. And every single year, "password," "123456," and "qwerty" make the top five. In 2025, "password123" remained in the top 20 most used passwords globally.

This is both funny and deeply alarming.

Why passwords matter in the phishing context

Phishing attacks often aim to steal your login credentials. But weak passwords are also cracked by brute force — computers guessing millions of combinations per second. If your password is short, common, or uses dictionary words, it can be cracked in seconds.

Once a criminal has one password, they often try it on other accounts. If you're using the same password for your email, your banking app, and your Xero account... you're one breach away from a very bad day.

What makes a strong password?

A strong password is:

  • Long: At least 14 characters. Length matters more than complexity.
  • Random: Not based on real words, dates, or names.
  • Unique: Not used on any other account.
  • Not guessable from your life: Your pet's name, your birthday, your football team — criminals look for these patterns.

The passphrase approach

Struggling to remember a long random password? Try a passphrase instead. Four random words strung together — like `purple-kettle-November-bridge` — is both long (resistant to brute force) and memorable. Add a number and symbol if the site requires it.

What to avoid:

  • Single words with obvious substitutions (`P@ssw0rd` — hackers know this trick)
  • Personal information (your name, your kids' names, your birth year)
  • Consecutive keyboard patterns (`qwerty123`, `asdfgh`)
  • Reusing passwords across multiple accounts
  • Passwords with fewer than 10 characters

Managing passwords you can't remember

Here's the honest truth: you cannot securely maintain unique, strong passwords for 50+ accounts in your head. Nor should you try. The solution is a password manager — a secure app that generates, stores, and autofills your passwords.

Reputable options include Bitwarden (free), 1Password, Dashlane, and the built-in managers in Chrome and Safari. You only need to remember one master password. The manager handles the rest.

For businesses

Password policies should be standard for any business that has more than one employee. Consider:

  • Requiring passwords of at least 14 characters
  • Forbidding reuse of previous passwords
  • Mandating MFA alongside passwords
  • Deploying a business password manager (1Password Teams, LastPass Business)

The uncomfortable stat

Over 80% of hacking-related breaches involve weak or stolen passwords. Fixing your password hygiene is one of the highest-impact, lowest-cost security improvements you can make.

Sharpen your security knowledge at Phishbate →

Think you can spot a phish?

Put your knowledge to the test with the Phishbate interactive quiz. It only takes a few minutes.

Take the Quiz →