In certain instances, we may earn revenue when a reader makes a purchase or completes a form through our pages or on a partner’s website. We adhere to a strict If you’ve had your passwords stolen, or you’re concerned about fortifying your digital defenses, you may be wondering, just how do hackers steal passwords?
Cybercrime is a constant threat today, and online fraudsters have plenty of tricks for stealing passwords. And if hackers gain access to your details, the results can be devastating – opening the door to fraud, major financial losses, and identity theft.
This guide will cover the tactics hackers use and provide you with steps to take to protect yourself based on our own research and testing. If you’re looking for an immediate solution, I recommend using one of the best password managers. They’re extremely helpful tools for storing and generating unique passwords for your accounts, and they make the process fast, easy, and secure.
The Best Password Managers for Protecting Your Information
- 1Password – Overall best password manager for security
- NordPass – Best cheap password manager for security
- Total Password – Best browser password manager for protection
Total Password – Best Browser Password Manager for Protection
How Do Hackers Get Passwords? Common Ways Cybercriminals Crack Passwords
Protecting your passwords is an ongoing battle. To effectively shield yourself, you need to understand the password-hacking weapons used against you. I’ll now break down the most common ways hackers steal your passwords, how to get hacked, and how you can protect yourself. So – how do you get hacked?
1. Brute Force Attacks and Dictionary Attacks
Dictionary attacks, meanwhile, are a type of brute-force attack where hackers use commonly available lists of words, phrases, and leaked passwords. These lists can be large and often incorporate names, slang terms, and even pop culture references.
If hackers acquire a database of encrypted passwords in a breach, they can use the same encryption process to match commonly used passwords to real logins.
These attacks can get results surprisingly quickly, especially if your password is short or simple. The most common passwords account for a large percentage of all passwords used, so hackers can get large numbers of results by using brute-force attacks on stolen password databases.
The longer and more complex your password is, the more time it will take for a brute-force attack to succeed. Every additional character increases the number of possible combinations. Strong passwords should have a mix of uppercase and lowercase letters, numbers, and symbols.
Hackers use powerful password-cracking tools like John the Ripper, Hashcat, and Aircrack-ng to automate these attacks. With advancements in computing power, even seemingly complex passwords can be vulnerable.
Researchers have found that a random, eight-character password can be hacked in under an hour using Nvidia RTX 4090 graphical processing units (GPU). A random eighteen-character password with a mix of numbers, letters, and special characters, on the other hand, would take trillions of years to crack with current technology.
To make your passwords resistant to brute-force attacks:
- Aim for at least 12 characters – Generally, the longer the password, the better.
- Use combinations of letters, numbers, and symbols – Don’t just combine multiple words, but use random combinations to ensure the password is uncrackable.
- Avoid common substitutions – Using “P@ssw0rd” instead of “password” isn’t fooling anyone, and hackers have dictionaries for this.
- Use a password manager – Most password managers include password generators that can create strong passwords that are randomly generated and are difficult to crack with dictionary attacks. They then store them so they’re readily accessible while also being secure.
- Use a password strength checker – There are many free online tools to assess the strength of your passwords. Many dedicated password managers, like NordPass, run password audits and will flag weak, reused, and potentially compromised passwords.
- Create unique passwords for every account – This significantly reduces the impact if one password happens to be compromised.
- Watch out for data breaches – Many password managers, including 1Password and Keeper, can also alert you if a password you’ve saved has been involved in a known data breach.
2. Credential Stuffing
They rely on the fact that many people reuse the same passwords across multiple websites and services. If one of your accounts is compromised in a data breach, and you use the same password elsewhere, hackers can easily access all your other accounts by testing password combinations.
Hackers can also use a reverse brute-force attack, in which they start with a known password and attempt to match it with other usernames.
Password managers provide several ways to defend against credential-stuffing attacks.
- Use unique passwords for every online account – This prevents a single breach from having a cascading effect on your entire online presence. Password keepers make it easy to store as many strong, unique passwords as you need.
- Use a password generator – This can help you create complex and truly random passwords. Of course, a password vault can store them, so you don’t have to remember them, and they’ll typically flag weak and reused passwords.
- Check for leaked credentials – Many password apps incorporate features to check if your email addresses or passwords have been exposed in data breaches, enabling you to update them before criminals can take advantage of the stolen credentials.
3. Phishing
These communications may create a sense of urgency and claim there are issues with your account, or they might offer tantalizing deals. The goal is to get you to click on a malicious link or download an infected attachment.
Malware and keyloggers can potentially record all your login details, giving hackers access to your accounts. Fraudsters also set up fake sites that resemble real domains. If you enter your details here, they’ll immediately fall into the wrong hands.
The infamous “Nigerian Prince” scam is a classic example of a phishing attack. The victim receives an email from a supposedly wealthy person claiming to need help transferring money and offers a generous reward – but all they really want are your details or a “down payment” that will apparently unlock the funds.
Phishing attacks accounted for over a third of all US data breaches in 2023. For more information, check out our article on the anatomy of a phishing attack.
Warning signs of phishing attempts include:
- Poor grammar and spelling – Phishing emails are often riddled with errors.
- Generic greetings – Emails may start with “Dear Customer” instead of your name.
- Suspicious URLs – Hover over links without clicking them to check their destinations. Misspelled domains or unusual addresses are red flags.
- Demands for immediate action – Phishers want you to act rashly without thinking things through, so always take a moment to consider what you’re being asked.
Expert tip – Many of the best antivirus software products include anti-phishing features. These tools actively analyze websites and emails to identify and block potential phishing attempts. Popular solutions include McAfee and Norton, which comes with its own password manager. You might also consider using one of the best VPN tools to further protect yourself from online tracking.
4. Malware and Keylogging
Keyloggers are often spread through phishing emails, malicious attachments, and infected websites. They can even sneak onto your devices via seemingly legitimate software downloads.
Once installed on your device, keyloggers can secretly record and transmit sensitive information, facilitating data exfiltration. If you store your passwords in your browser rather than with a secure password manager, then they’re likely to be vulnerable to malware.
To protect yourself from keyloggers:
- Keep your antivirus and anti-malware software up to date – Reliable security software can detect and remove keyloggers.
- Be cautious about what you download – Only download software and files from trusted sources, and be wary of emails from individuals you don’t know.
- Use a virtual keyboard for sensitive information – Some password managers and banks offer virtual keyboards that prevent keylogging as your key presses don’t go through an actual keyboard.
- Be vigilant when using public computers – Avoid logging into sensitive accounts on public computers, as they could be infected with malicious software.
If you believe you may be a victim of keylogging, check out our guide to how to detect keylogger software, how to remove spyware from iPhone, and how to remove spyware from Android.
5. Written Notes and Shoulder Surfing
If you have a written record of your password taped to your monitor or in a nearby draw, then it’s simple for anyone who finds it to access your accounts. Equally, if someone is able to watch as you enter your password – as might happen at an ATM machine – then they may be able to reproduce it.
You should also be very wary of handing unlocked mobile devices to strangers, as this can give crooks rapid access to your information and accounts.
To protect your passwords on desktop and mobile:
- Use complex passwords – Simple passwords like “123” are easy to track and copy, while randomized codes will be far harder for onlookers to reproduce.
- Use a password manager – Password managers enable you to copy and paste your password, meaning that it’s never exposed to anyone who might be watching. They also make it easy to use complex passwords.
6. Guessing, Social Engineering, and Phone Scams
When deploying social engineering tactics for password theft, hackers may build a scenario to gain the victim’s trust to extract information, such as claiming they’re calling from tech support, or bait the user with an enticing offer, like a free download or prize.
Fraudsters may also research your social media accounts to build a profile on you, enabling them to guess passwords based on your interests and the names of your loved ones.
Hackers know that people often choose easy-to-remember passwords based on their names, birthdates, pets, and favorite things. These passwords are also highly vulnerable to dictionary attacks.
The UK’s National Cyber Security Center (NCSC) found around one in six people use their pets’ names as passwords, and one in three people use the same password across multiple accounts and websites, making them easy targets.
The best defense against social engineering is a healthy dose of skepticism. Follow these practices:
- Verify the source – If you receive an unexpected call or text asking for personal information, independently verify the sender’s identity before providing any details. Contact the company or person directly via their official website or a confirmed phone number.
- Never follow suspicious links or click on attachments – These can lead to malware infections and phishing websites even if a supposed company representative has directed you on the phone to access them.
- Don’t be pressured – If someone is trying to rush you into making a decision or providing information, it’s usually a red flag. Take your time to assess the situation.
- Educate yourself about common social engineering tactics – By learning the tricks fraudsters use, you’ll make it harder to deceive you.
- Make your social accounts private – This makes it harder for fraudsters to gather information on you.
- Don’t use common words or personal information in your passwords – Avoid anything that could easily be guessed or found through social media.
7. Man-in-the-Middle Attacks
Malicious actors can use this approach to gather information on hundreds of people in locations like cafes, stations, and airports.
If you have to use public Wi-Fi, it’s best not to access sensitive information, such as logging into your financial accounts. That said, you can protect yourself by using a VPN like NordVPN and Surfshark, which can encrypt your internet traffic and stop anyone from eavesdropping on you.
8. Password Spraying
Unfortunately, many people still use simple, easy-to-guess passwords like “123456” and “password.” Password spraying attacks leverage this weakness. To protect yourself from password spraying:
- Never use common or default passwords – They’re the first ones that hackers will try.
- Implement account lockout policies – Set your online accounts to lock after a few failed login attempts. This slows down password-spraying attacks.
- Monitor for suspicious login activity – Keep an eye on your account activity logs. Report any unauthorized login attempts immediately.
- Use multi-factor authentication (MFA) – If you have two-factor authentication or MFA in place, it’ll make unauthorized access dramatically harder, even if your password is guessed. Password managers like 1Password and NordPass can integrate with MFA tools like Google Authenticator to further streamline the login process.
How Can Antiviruses and VPNs Prevent Password Theft?
Having a reliable password manager makes it easy to securely save and access complex passwords whenever you need them. Products like 1Password also make it simple to securely share passwords and will alert you if your details have appeared in a data breach.
An antivirus, like TotalAV or Norton Antivirus, can further protect you by ensuring that your system is safe from malware, spyware, and ransomware, which could enable hackers to access your logins and financial accounts or to lock your device.
VPNs, like NordVPN and Surfshark, offer additional security by encrypting your internet traffic, which can protect you from man-in-the-middle attacks. NordVPN also includes a web protection tool, while Surfshark includes a full antivirus product. Many antiviruses and VPNs also include dark web monitoring features, alerting you if your login information has appeared in an online data breach.
Summary – How Do Hackers Get Your Information?
Your passwords and logins are the keys to your whole online life. Hackers are relentless in their attempts to crack passwords, but by understanding their techniques and following the best practices outlined in my guide – using strong, unique passwords and storing them securely, being on the lookout for breaches and phishing, and implementing MFA – you’ll make it far harder for fraudsters to breach your accounts.
Strong passwords and a reliable password manager like 1Password are your best defenses against attackers but don’t underestimate the importance of being cautious about sharing information online. By taking proactive steps, you can significantly reduce your risk of falling victim to password theft – and the devastating consequences that can come with it.
