Three Common but Risky Authentication Practices to Avoid