8. Missing the mark on passwords
When it comes to security, new threats garner all the attention, but your biggest threat may be much more mundane: password policies. Weak or nonexistent passwords, user or admin accounts with widely known passwords, weak or well-known password-hashing algorithms -- each can sink your business.
But the other side has caveats as well. Make your password requirements too complex and draconian, and your policy can have the opposite of its intended effect. Users pushed to the limit of remembering passwords end up writing them down -- in a drawer, on a Post-It, or on a piece of tape stuck to their laptop's keyboard. Don't undermine the ultimate aim of your password policy by insisting on unrealistic requirements.