The top 5 password mistakes companies make

Over the holiday weekend, the fine folks at Social Media Today published an updated list of the most commonly used passwords. Not shockingly, 123456 remains at the top of the list. PEOPLE. Can we please get real? If you are still using a password that is 123456 or “password,” you are literally begging the criminals to hack your account. As the graphic states, “all of these passwords would take less than 1 second for a hacker to crack.”

Now, when it comes to corporate social media governance, here’s the point: If humans are terrible at managing their personal passwords, that means that those who are managing your company’s social media account passwords are probably doing it equally poorly. If you’ve never asked them about how this is managed, now might be the time.

To help, here are my top five mistakes companies make (which also ironically are the top five mistakes individual people make as well):

1) Bad passwords. “Password,” “qwerty,” “123456,” “iloveyou,” “000000” and your pet’s name are all terrible passwords. No one should use these ever. In the case of corporate account passwords, there are other password “no-nos” I’d add to the list.

• Any password containing the name of your company

• Any password containing the name of your brand, especially if the account in question is for that brand (hello, easily guessable password!)

• Any password containing the name of a key individual like the founder or CEO

• Any password containing a year that is significant to the company or brand. So, if you were Brand X and you were founded in 1953, “brandx1953” would be a terrible password.

2) Save to browser. This is my opinion, but it’s a strong one. Never, ever, ever, ever, ever save your passwords to Chrome or Safari or whatever browser you are using.

• First, I don’t believe these are safe enough, and entrusting all of your passwords to a third party that is not a security-related company is a bit questionable if you ask me. It’s just a matter of time before a clever hacker figures out how to mine that data. I don’t trust the technology. And I don’t trust the companies who own it.

• Second, what happens if some day Chrome crashes or there’s a technical glitch with Safari? You may not be able to access your passwords when you need them.

• Third, that’s a great way to hand someone all of your passwords if your device is stolen or even if your kid happens to hop behind the desk while you’re getting more coffee or in the restroom. (read here if you don’t think that happens)

3) No password manager. So, what should you do if you don’t save all your passwords in Chrome? I highly recommend (highly!) a password manager for all humans and all corporations. There are special tools that are designed to securely store and manage all of your passwords in one place. It’s digital. It’s encrypted. And most of these tools are zero knowledge (meaning the people who work for the tool vendor can’t access your stuff even if they wanted to). In addition, these tools can help you generate super secure passwords upon request – and you can make them 50 characters long if you want. If you want to make your passwords much more secure, choosing a randomized long secure password is a great way to do it.

I am not paid to recommend any tools. But my personal favorite is Keeper Security, and that’s the one I use personally. I would also recommend 1Password. I would not recommend LastPass as they have had too many security breaches of their own for me to feel comfortable recommending it anymore (though I used to). These tools are cheap. And they can truly help you put up a true defense against hackers. Keeper is as low as $3.33 a month for personal users ($7.08 a month if you want a family plan that allows you to share passwords across users – very handy when my husband forgets the Netflix password). Business plans start at under $5 per user per month.

Now if you’re thinking, gosh, Sue, that sounds like a lot of work. I’ll have to open my password manager, retrieve the password and then go log into something else. Nope, not true. Once you’ve got it set up, Keeper will pop up just like your stored passwords in the Apple universe (see screenshot). It is pretty much just as easy to use as the “store to browser” option, and it’s a heck of a lot more secure.

4) No password hygiene. Regardless of the strength of your passwords, you may falter if you don’t ever change or do anything with them. If you are managing your own personal Instagram password, I would still recommend changing it every so often just to be diligent. But if you are managing your company’s Instagram, you must practice good password hygiene. This means:

• Creating a schedule for changing all social media passwords every so often (for instance once per quarter).

• Changing the password any time anyone on the staff who knows the password leaves the company (this is how companies end up with an ex-employee posting bad stuff on their accounts!)

• Changing the password any time anyone external who knows the password leaves their role – particularly agency partners. This one is often overlooked and it’s a problem. It requires you to know when your agency has turnover.

• Being on alert for any security-related notifications that something is awry. For instance, if you get a notification that there was an unusual login attempt from a far away country, the very first step should be to change the password.

5) Passwords on a sticky note. It amazes me that in 2025, I still catch people writing down passwords on sticky notes and putting them under their keyboards. While that’s the most egregious example, there are lots of other completely insecure ways that people choose to store their passwords – both personal and for the billion-dollar brands they serve. (If your hair is not on fire by now, it should be.)

The following are all not good, not Sue-approved, not secure ways to store any social media passwords: sticky notes, “password journals,” Word docs, Notes, plain text anything, Excel spreadsheets, PDFs, scraps of paper, messages in the sand and in an email or text message to yourself. Additionally, if you are one of those people who says, “Ah yes, but I have a password-protected Excel spreadsheet or PDF,” sorry, that’s not secure either. Because what is the actual human behavior with such password-protected documents? You email someone the document with the password. Same problem. Again, the best way to store your passwords is in a digitally encrypted vault. These tools are incredibly affordable for individuals or businesses. There is no reason to be storing passwords in any of the ways above. Additionally, a management tool will allow safe sharing with your entire team and/or agency partners.

I’ve been writing about poor password management for years, and I guess I’m going to have to keep doing it for now. It is absolutely true that biometrics and other advanced ID methods may eventually make passwords moot. But until that day, if you are doing any of the five things above, now’s the time to create a better password management program for yourself and especially your company.

 More of my thoughts on passwords and good password management:

• The four pillars of good social media governance (hint: one of them is know all of your passwords!)

• Protect your passwords: 4 key tips to deter cybercriminals

• Six ways companies get locked out of their own social media accounts – and how to avoid them