There’s no shortage of password-protected accounts these days, with everything from setting up a pair of wireless headphones to buying a pint on a pub app requiring new log-in details.

It’s perhaps no surprise that many of us attempt to use slight variations on the same password, even ones that have leaked online – but how secure is it really to change (for example) Potato123 to Potato456 or P0tato123?

<cs-card “=”” class=”card-outer card-full-size ” card-fill-color=”#565656″ card-secondary-color=”#272727″ gradient-angle=”112.05deg” id=”native_ad_inarticle-1-40532dcb-7574-4e7b-b989-f33dee76172a” size=”_2x_1y” part=””>

Ad

Modern problems require modern solutions

SALESmanago

It’s very common to do so: 60% of people in Britain admit reusing passwords, and of those, 62% make slight variations in the same password, believing that this protects them from cybercriminals, according to 2025 research by Nordpass.

But the idea that this makes a password more secure is “one of the most common misconceptions” about staying safe online, Darren Guccione, CEO of password management company Keeper Security, tells Yahoo News.

Many people believe that changing a single character in a password (i.e. swapping a number for a symbol, or changing a number) is enough to protect accounts.

“It’s understandable of course,” Guccione says. “People’s digital footprint today is significant and remembering complex passwords can be difficult, particularly when it might involve websites that users visit infrequently.

“So people, naturally, opt for shortcuts. Changing one letter can feel like an easy quick fix.”

Why is it not safe?

Cybercriminals often work from lists of passwords that have leaked in online ‘data breaches’, where information such as passwords are stolen from hacked sites.

Last week, for example, it was reported that 16 billion passwords were leaked online in one of the largest illicit data dumps in history.

And according to a report by financial insights company TransUnion published this week, one in seven people say they have lost money to fraud in the past year. Half (50%) said that a fraud attempt had been made against them in the past three months.

“The reality is that this simple step pales in comparison to the persistent efforts we see from cybercriminals today in attempting to gain access to your data,” Guccione says of those who think a simple password switch is enough to keep their details safe.

If your password has been compromised, simply changing one letter is not enough, as the tools today’s cybercriminals use allow them to guess multiple similar passwords at once.

<cs-card “=”” class=”card-outer card-full-size ” card-fill-color=”#565656″ card-secondary-color=”#272727″ gradient-angle=”112.05deg” id=”native_ad_inarticle-2-e745d210-64fb-4c63-83bb-fbf57c179eed” size=”_2x_1y” part=””>

Ad

Driver Quad Tour – High-End Bophut Tours – Exclusive Bophut Tours

luxury-experiences-travel.com

“Cybercriminals are well-versed in this type of behaviour. So much so that today’s attackers routinely build these small variations into their cracking tools and password lists. They strongly expect this type of behaviour from users and they prepare accordingly,” Guccione says.

“These predictable variations are low-hanging fruit for hackers. If your credentials have been previously compromised in a breach, it’s safe to assume a new, slightly tweaked version will be just as vulnerable.

“Today’s hackers use automated tools, often powered by AI, that test common passwords and their slight variants by the millions.”

Billions of passwords have leaked online in this way; you can check whether yours has leaked on sites such as HaveIBeenPwned.com.

What should you do instead?

Never reuse passwords, even with variations, Guccione advises.

Even if it’s for a site you won’t use often, there is a chance that site will be hacked and your password will be exposed – and then every other site you have used it for (or slight variations of it) on will be vulnerable.

<cs-card “=”” class=”card-outer card-full-size ” card-fill-color=”#565656″ card-secondary-color=”#272727″ gradient-angle=”112.05deg” id=”native_ad_inarticle-3-f7228a83-87f1-482b-915c-90827168fd32″ size=”_2x_1y” part=””>

Ad

Customer Engagement Platform

SALESmanago

“Predictability is the ultimate failing when it comes to matters of cybersecurity. Cybercriminals prey on people’s underestimation of just how sophisticated their password cracking methods have become,” says Guccione.

He advises using passwords with no names, dates or dictionary words – they should, ideally, be randomly generated and at least 16 characters long.

He also recommends using a password manager app to store and generate passwords.

“Using a password manager is the digital equivalent of a security system: a modern solution designed to eliminate predictable habits entirely,” he says.

“This secure tool will generate strong, unique passwords and store them safely, so you don’t have to rely on memory or risky behaviours such as simple, reused passwords.”

Guccione also advises using two-factor authentication where possible on all accounts, either via codes sent to your mobile or via a dedicated app.

“This could be biometrics, a hardware security key or a code that is sent to your mobile device after you have logged in to an account,” he says.

“This second step verifies that it is in fact you who is logging in to said account. It provides an essential additional layer of security, so even if your password is cracked, your account remains protected.”