Hackers steal your passwords through a variety of methods including data breaches, password cracking, guessing, physical theft and malware. This can have serious consequences, especially if the hackers gain access to your accounts, but there are ways to protect yourself.
Read on to learn more about how hackers steal passwords and how to prevent them from gaining access to your accounts.
What Happens When Your Password Is Stolen?
When your password is stolen, cybercriminals may sell your information on the dark web to other hackers, or use it themselves to commit more cybercrimes.
Your stolen credentials may give hackers access to important accounts, such as your bank account, and allow them to steal other Personally Identifiable Information (PII). This can result in serious consequences such as stolen money and stolen identities. Recovering from a stolen identity is time-consuming and expensive, and the consequences can follow victims for years.
Methods Hackers Use To Steal Passwords
Here are a few methods hackers use to steal passwords.
1. Data breaches
Data breaches are one of the most common ways credentials are stolen. In 2022, over 422 million people in the U.S. were affected by 1,802 data breaches. These breaches, often at major companies with millions of users, can expose usernames and passwords, health information, credit card numbers, social security numbers and more.
To find out quickly whether your credentials have been compromised in a breach, complete a dark web scan.
2. Password cracking through brute force
Brute force is a method of password cracking that uses a bot to repeatedly guess random passwords until it finds the right one. These bots can try hundreds of passwords a second – but they are more likely to guess passwords that include dictionary words (also known as a dictionary attack) or passwords that are short.
A random, eight-character password can be hacked within eight hours. A password shorter than that can be cracked almost instantly. A random eighteen-character password with a mix of numbers, letters and special characters would take trillions of years to crack.
3. Guessing
Hackers may gather information by researching your digital footprint and attempt to guess your password by using what they learn. For example, they may try using the names of your loved ones, birthday or home address as part of a password. Unfortunately, cybercriminals are often successful at these attempts, as making a password with this information is common. Avoid using personal details, especially those that can be found on your social media, to make your passwords stronger.
Guessing may also include trying common default passwords, which can be easier to guess than a random password. It’s important to change your credentials from the default password on new accounts to a unique, complex password.
4. Shoulder surfing
Shoulder surfing refers to stealing information, including passwords, by physically viewing the victim entering in the information. Techniques can include criminals leaning over when someone is entering their PIN at an ATM or videotaping a user typing in their password. This can happen in an office, at a coworking space, a cafe, or anywhere your keyboard or computer screen may be visible.
It’s important to prevent shoulder surfing by not writing down your passwords, using privacy screens and using the “hide password” feature when entering them in public places.
5. Malware and keylogging
Malicious links and files can contain malware, which is harmful software designed by cybercriminals. Users might accidentally download malware when they are victims of online scams like phishing attacks. There are many ways malware can compromise your computer, but one of the most common types, called a keylogger, will record your keystrokes. With this recording, the cybercriminal can steal your credentials and any other confidential or sensitive information you type on your computer.
6. Man-in-the-middle attacks
Man-in-the-middle attacks occur when cybercriminals intercept data sent between two entities. There are a variety of methods for doing this, but cybercriminals often use public WiFi to attack their victims. Lots of sensitive information can be stolen using man-in-the-middle attacks, including credentials.
Avoiding public WiFi, setting a strong password for your home network and using a VPN can help prevent these attacks.
7. Social engineering
Cybercriminals often use social engineering to steal credentials. Social engineering, which can be used in tandem with other methods such as phishing, is the practice of using psychological methods to gain the trust of the victim in order to increase the likelihood they’ll provide sensitive information. These techniques often use research gathered from the victim’s digital footprint in order to help gain trust. Examples of these methods can include using an urgent message to cause the victim to panic and hand over information without thinking or pretending to be a victim’s loved one.
8. Password spraying
In password spraying, hackers will use a few common passwords to attack multiple accounts on a single website or application. Common passwords – like 123456 – are low-hanging fruit as many people use them despite knowing they are not very secure. This type of attack will likely allow the hacker access to hundreds of accounts on a major platform and avoids the password lockouts that happen with brute force attacks.
Using unique, complex passwords for all your accounts will prevent this type of attack.
9. Phishing
One of the most common attacks, phishing, occurs when a hacker pretends to be a legitimate entity, such as your bank and requests sensitive information, such as your password. They may even use a spoofed site, which is a fake login page that looks like the real one, to collect your credentials.
How to Tell Your Passwords Have Been Stolen
Depending on the type of attack, you may discover your password has been stolen in different ways. If you cannot access your account because the password has been changed, then that’s a sign that a cybercriminal has stolen your password and taken over your account. Passwords leaked in data breaches are sold on the dark web. You’ll be able to figure out if one of your credentials is stolen by using a dark web monitoring tool.
How To Protect Your Passwords From Hackers
Here are a few tips you can use to protect your passwords.
Use strong, unique passwords for each account
Cybercriminals have a lot of success trying common passwords because a large number of people still use them.
Some of the most common passwords in the world, according to research by SplashData, include:
- 123456
- password
- 12345
- 12345678
- football
- qwerty
- 1234567890
We recommend using a password with at least 16 characters, including upper and lower case letters, numbers and special symbols. The password should be random, with no dictionary words or personal details like birthdays.
Having unique passwords for all your accounts makes them difficult to remember, but using a password manager will help. Password managers store your passwords in a vault that can only be unlocked with your master password – the only password you will need to remember.
Change your passwords when breaches occur
Use a dark web monitoring tool to learn when data breaches occur and have compromised your accounts. When you get notified that a password has been compromised, change your password right away.
Learn to recognize phishing attempts
Identifying phishing attempts has gotten more complicated in a world where AI can effectively imitate the writing of real people. Phishing can appear in the form of emails, texts or other messages and often claim the user needs to complete an urgent task to avoid losing money or face some other consequence. The message may ask the user to hand over account information or PII like your Social Security number.
To avoid phishing, be skeptical of unexpected messages and follow cybersecurity news to get word of new types of attacks that are emerging.
Protect Your Passwords From Hackers
Using unique, complex passwords with a mix of character types is the best way to protect your passwords from hackers.
Keeper Password Manager will automatically generate strong passwords, securely store them in an encrypted vault and automatically fill passwords on websites so you don’t have to manually type them. For simple protection against cybercriminals, enjoy a free 30-day trial of Keeper Password Manager.
