• Fri. May 24th, 2024

How Hackers Steal Your Passwords

Avatar photo

ByHarper Stewart

Sep 11, 2023
How Hackers Steal Your Passwords
Harper Stewart
Latest posts by Harper Stewart (see all)

Unlike pricier options like touch or facial recognition, passwords are popular due to being affordable and easy to use. They serve as a basic security measure for users, symbolizing simplicity and broad usage. Paradoxically, their widespread use also makes them appealing to hackers. In this article, we’ll explore how hackers steal passwords and ways to prevent such breaches.

Phishing Attacks

Phishing email.

Phishing or spear-phishing attacks are the origin of more than 70% of cybercrimes. It is a common tactic used by hackers to get user credentials, either for their own use or to resell on the dark web. Phishing is a social engineering technique that deceives people into giving their credentials by leading them to believe they are responding to a real request from a reliable website or provider.

Phishing frequently—but not always—occurs via emails which may include malicious attachments or dubious links to copycat websites. The criminals will utilize a phony login form to obtain the victim’s login name and password at some point in the chain of events that starts with the user accepting the bait. Thieves may also utilize a man-in-the-middle attack or some other method of interception to obtain user credentials between a user and a legitimate sign-in page.

Credential Stuffing

An illustration of How credential stuffing works.

Credential stuffing, a method that includes testing stolen credentials – passwords and usernames – across several accounts to locate matches, is used by hackers every day to test tens of millions of accounts. This technique, which is also known as list cleansing and breach replay, entails comparing databases of stolen data to a variety of accounts to find matches.

Hackers actively target stealing passwords from sites with weak security measures since they are routinely compromised. Then, these credentials are sold on underground forums on the dark web. Because many users reuse their passwords on many websites, thieves have a statistically substantial probability of finding instances when a user has utilized the exact same credentials for several separate accounts.

Brute Force

Brute force attack.

Hackers employ a variety of strategies to reduce the cost and duration of brute force assaults. Dictionary attacks, also known as cracking dictionaries, employ collections of uncommon terms, popular passwords, and hacked credentials to quickly guess the passwords users are most likely to select. Similar to password dumping, password spraying involves the hacker slowly scrolling down a list of popular passwords to get access to the victim’s accounts. The hacker usually already knows the victim’s usernames. 

Credential stuffing goes a step farther than this. The attacker checks them against other accounts to determine whether they match lists of obtained credentials, password and username combinations. Employees are reusing passwords that were obtained in data breaches of other sites, thus this strategy works effectively even when sites have adequate security measures. Hackers who know something about a password—for example, if a particular character is required—and then adapt their brute force guesses to that information engage in mask attacks. These all use brute force guessing operations to break into your systems.

Password Spraying

The most common passwords over the years.

Password spraying assaults are thought to account for about 16% of password attacks. Password spraying is a method that tries to utilize a list of frequently used passwords—like 123456, password123, 1qaz2wsx, letmein, batman, and others—against a user account name.Similar to credential stuffing, the fundamental concept of password spraying is to compare a list of user accounts to a list of passwords. With credential stuffing, on the other hand, the passwords are all well-known ones for specific users. Spraying passwords is more direct. 

The scammer is in possession of a list of usernames but is unaware of the password. Rather, a list of the most popular passwords is utilized to compare each login. A variety of factors including the amount of resources and time a hacker has, this may be the top 5, 10, or 100. Because most websites detect repeated login attempts from the same IP address, the attacker must utilize numerous IP addresses to increase the amount of passwords they may try before being noticed.


Keylogging attack example.

Keylogging is a strategy that is frequently employed in customized assaults where the attacker either knows the victim (spouse, coworker, relative) or is particularly interested in the victim (business or nation-state espionage). Keyloggers capture the keyboard strokes you make and may be a particularly efficient way of collecting passwords for things like online bank accounts, cryptocurrency wallets, and other logins with protected forms.

Keylogging is more harder to execute than Credential Stuffing, Phishing, and Password Spraying since it needs first gaining access to, or infection of, the victim’s workstation using keylogging malware. Having said that, there are several freely accessible post-exploitation kits available that provide attackers with off-the-shelf keyloggers as well as commercial spyware products ostensibly for parental or staff monitoring.

Local Discovery

Even a family member might want to steal your password.

This tactic is frequently used in targeted assaults and is typically started by someone who has a known link to the victim, such as friends, family, coworkers, or even police enforcement. When you write down or use your password in an area where it is visible to everyone, local discovery occurs. The attacker then discovers the password and makes use of it, frequently without your knowledge that the password’s security has been breached. You may have seen sequences in movies where detectives go through a suspect’s trash to find hints about their whereabouts. 

In fact, using local discovery to find passwords in dumpsters is acceptable. In the same way, seemingly innocent behaviors like sticking a Post-It note on your computer screen or keeping your login information in a desk drawer can result in breaches. However, there are other, more covert methods of local detection, such as listening in on Bluetooth conversations or extracting passwords in plain text from URLs or logs. There is also the idea of “shoulder surfing,” in which someone stealthily watches you enter your credentials. 

This might take the form of a coworker sneakily seeing you log in from behind your desk or surveillance cameras in public spaces like coffee shops that record individuals as they input their login information on computers.


Malware example.

It is possible to be blackmailed directly by having someone demand your credentials up front and in plain sight. You have to decide whether to give over your password or risk negative repercussions in this situation.

The dynamics between the attacker and the victim are key to this strategy. When the attacker has the power to cause injury or disgrace if you refuse, they will demand your password. This might include making threats against your safety or the safety of your loved ones or exposing private information, pictures, or videos. This method of extortion can be used against you by software known as Remote Access Trojans (RATs), which enables hackers to watch you via webcams or video cameras.

How to Create a Secure Password?

A password generator.

People dislike making and memorizing complicated passwords, which is one of the major reasons Credential Stuffing and Password Spraying are so effective. The positive aspect is that password management programs will save you time and effort, which actually shouldn’t be news as it has been the case for quite some time. These are easily accessible, and some browsers even have built-in password recommendations. These aren’t perfect, that much is obvious. 

They frequently rely on a master password that, if stolen, makes all of your eggs in one basket vulnerable. However, using a password manager dramatically reduces your risk of becoming a victim of password theft in comparison to not using one. We believe that using a password manager is a fundamental Security 101 practice since the advantages vastly outweigh the dangers.

The Summary

Weak and strong passwords.

Passwords are here to stay, and there are strong arguments in favor of keeping them in use. While biometric security measures like face and fingerprint identification are important, passwords have an important benefit since they rely on “something you know” rather than “something you have.” As long as it is sufficiently complex, one-of-a-kind, and kept private, a password is stronger than tangible tokens that may be seized since it cannot be physically touched.

The danger of becoming a victim of password-related breaches is reduced to a minimum and is tightly limited by combining strong password practices with two-factor or multi-factor authentication. Sticking to good password security procedures guarantees that the effects are limited to that particular service, even in the case of a compromise on an unsecure network that discloses your login information.  Therefore, you may protect yourself from potential data loss due to password hacking by being careful about password security.

Avatar photo

Harper Stewart

With a deep understanding of the complexities of the Dark Web, Harper curates informative and thought-provoking content for our readers. Her knowledge of the hidden corners of the internet and cybersecurity helps shed light on the often mysterious and illicit activities that take place in this realm.