Understanding how hackers steal passwords is important for protecting yourself online — cybercriminals use many different methods to obtain credentials and access accounts. And as these methods continue to improve, it’s important to have a good understanding of how they work.
If a hacker gets a hold of your passwords, they can break into your email and bank accounts and even steal your identity. Often, this happens because of weak security habits, like using easy-to-guess passwords, reusing the same passwords across multiple accounts, or sharing them over unsecure channels.
This guide will arm you with the knowledge to keep your passwords safe from hackers. You’ll learn about their tactics, how they pull them off, how to avoid them, and how to know if your passwords have been compromised. For top-notch password storage, I recommend 1Password — it’s secure, user-friendly, and works seamlessly across all devices and platforms.
How Do Hackers Steal Passwords?
Hackers have a variety of tricks to steal your passwords. Understanding their methods can help you protect your personal and financial information. Here’s a breakdown of common techniques hackers use and how to defend against them:
Passwords Leaked in Data Breaches
When hackers pull off a data breach, they infiltrate systems to swipe sensitive info, like passwords. This stolen data can then be used for all sorts of malicious purposes or sold on the dark web.
How it works:
- Exploiting vulnerabilities — Hackers often target websites and databases with weak security. They exploit these gaps to steal huge amounts of user data, including login credentials, credit card details, and Social Security Numbers (SSNs).
- Dark web marketplaces — After stealing the data, hackers usually advertise and sell it on shady marketplaces and forums on the dark web. Other cybercriminals or identity thieves buy this info to commit more fraud or identity theft.
How to avoid it:
- Use unique passwords — Create different, complex passwords for each of your accounts. A password manager like 1Password can help you create and store these unique passwords.
- Stay informed — Regularly check for news of data breaches. If you learn that a company you have an account with has been breached, change your passwords immediately to prevent unauthorized access.
- Verify fraud alerts — If you get an email about a data breach, don’t respond directly. Instead, visit the company’s official website or call their customer support to verify the situation. Hackers sometimes send official-looking emails claiming there’s been a breach and include a link to “resolve” the issue or secure your account.
Phishing Attacks
Phishing attacks are deceptive tactics cybercriminals use to steal your personal information, including passwords.
How it works:
- Deceptive emails — Hackers send emails that look like they’re from trusted sources, such as banks, government agencies, or popular online stores. These emails often contain links to fake websites designed to steal your information.
- Malicious links — Clicking on these links can either take you to a scam website or trigger a malware download, giving hackers access to your device and personal information.
How to avoid it:
- Ignore spam — If you get an unexpected email, even if it looks legit, resist the urge to respond. Delete suspicious messages, especially those with typos or strange email addresses.
- Avoid clicking links — Don’t click on links or download attachments from unfamiliar sources. Using an antivirus with strong anti-phishing protection like Norton is also a good idea.
- Protect personal information — Never share sensitive information like passwords or financial details via email. Instead, use a good password manager to share passwords securely.
Vishing
Vishing, or voice phishing, is a type of phishing attack where hackers use phone calls to trick individuals into revealing personal information.
How it works:
- Impersonation of trusted entities — Hackers often pose as representatives of reputable organizations like banks, government agencies, or well-known companies. They use social engineering tactics to create a sense of urgency or fear, convincing victims to provide sensitive information, including passwords.
- Spoofed phone numbers and caller IDs — To make their calls appear legitimate, vishers often use technology to spoof phone numbers and caller IDs. This makes the call seem like it’s coming from a trusted source, increasing the likelihood that the victim will trust the caller and provide the requested information.
How to avoid it:
- Verify the caller’s identity — Even if you think the call might be legitimate, don’t provide any information over the phone. Instead, contact the organization directly using the contact information from their official website.
- Hang up immediately — If a caller requests personal information or creates a sense of urgency, hang up. Legitimate organizations won’t press you for sensitive information over the phone.
- Join the National Do Not Call Registry — Registering your phone number can help reduce the number of unwanted calls you receive. Companies that ignore the registry and call you anyway can face penalties.
Brute Force Attacks
A brute force attack is a method hackers use to crack passwords by systematically guessing combinations until they get the right one. They often use powerful computing tools to speed up the process.
How it works:
- Simple brute force attacks — Hackers manually try to guess login credentials using common password combinations or personal identification numbers (PINs). This method targets weak passwords like “password123”, or “1234” and poor password practices such as reusing passwords across multiple sites.
- Dictionary and hybrid attacks — In a dictionary attack, hackers use lists of common words and variations with numbers and special characters to guess passwords. A hybrid attack combines this method with brute force techniques, trying combinations such as “SanDiego123” or “Rover2020” to reveal login details.
- Reverse brute force — These attacks start with a known password and look for matching usernames.
How to avoid it:
- Use strong passwords — Again, creating complex passwords for each account will help protect your passwords from being hacked.
- Use password managers — Password managers help generate and store strong, unique passwords for all your accounts.
- Enable multi-factor authentication (MFA) — MFA adds an extra layer of security by requiring additional verification beyond a password, such as a code sent to your phone or a fingerprint scan.
Dictionary Attacks
Dictionary attacks are like a hacker’s version of a word guessing game but with much higher stakes. Instead of trying every possible combination, these attacks use a curated list of common passwords to crack your accounts.
How it works:
- Use of common passwords — Hackers use lists of commonly used passwords as a “dictionary” to hack into an account. By pairing each password from the dictionary with different usernames, attackers can quickly try multiple combinations to find a match.
- Automated systems for rapid attempts — Hackers often use automated tools to speed up the process, allowing them to try thousands of password combinations in a short time.
How to avoid it:
- Create stronger passwords — Make sure your passwords are strong and unique. Avoid using common passwords or simple variations. Most online accounts now require medium password strength when you sign up, but always aim for the highest level of security.
- Use passphrases — Instead of short, easy-to-guess passwords, use longer passwords or passphrases. A passphrase can be a sentence or a combination of unrelated words, which makes it easy to remember but really hard to crack. NordPass’s passphrase generator can help you generate passphrases between 3 and 10 words long to secure your accounts.
Keylogging
Keylogging, or keystroke logging, is a method used to secretly record the keystrokes on a keyboard without your knowledge.
How it works:
- Software keyloggers — Hackers distribute keyloggers through malicious software downloads, phishing emails, or compromised websites. Once installed, the software records every keystroke on the victim’s device and sends the data to the attacker. For example, the DarkHotel malware targets unsecured hotel Wi-Fi networks and prompts users to download keylogger software.
- Hardware keyloggers — These are physical devices attached to a computer to log keystrokes. They’re usually placed between the keyboard and the computer or hidden inside the keyboard itself. Although less common due to the need for physical access, they still pose a threat in certain environments.
How to avoid it:
- Enable two-factor authentication (2FA) — Even if a keylogger captures your password, 2FA adds an extra layer of security and prevents the hacker from accessing your accounts.
- Use an antivirus — A reliable antivirus can detect and remove software keyloggers from your device.
- Use on-screen keyboards — Antivirus programs can’t detect hardware keyloggers. Therefore, when using public or shared devices, use an on-screen keyboard to enter sensitive info. This can prevent keyloggers from capturing your keystrokes.
- Secure environments — Only use trusted and secure computers for entering sensitive information. Avoid using public or shared computers for tasks that involve sensitive data if you can.
- Keyboard encryption — Some high-end keyboards come with built-in encryption that can prevent keyloggers from capturing keystrokes. Consider investing in one if you handle sensitive information regularly.
Credential Stuffing
Credential stuffing happens when hackers use your password from one account to try and access another account, betting on the chance that you’ve reused your password.
How it works:
- Data breach exploitation — Hackers get hold of usernames and passwords from a data breach, like the NeoPets breach that compromised 69 million user accounts.
- Automated attacks — Instead of manually trying multiple combinations, hackers use automated technology to create a botnet. This botnet rapidly distributes attacks across multiple IP addresses, quickly testing a single password for each username across various accounts.
- Single attempt strategy — Instead of trying multiple password combinations, hackers use one password per username, relying on the likelihood that you have reused your passwords across different sites.
How to avoid it:
- Unique passwords — This is by far the most effective way to avoid credential stuffing attacks. Use unique passwords for each of your accounts to ensure that even if one account is compromised, others remain secure.
- Enable two-factor authentication (2FA) — This adds an extra layer of security, requiring a second form of verification in addition to your password.
- Monitor login attempts — If your service or platform allows it, monitor and limit the number of failed login attempts to prevent automated credential stuffing attacks.
- Use a reputable antivirus — The best antiviruses like Norton or Bitdefender detect and block suspicious activity related to credential stuffing attempts.
- Install a web application firewall (WAF) — For business clients, using a WAF can help protect web applications by filtering and monitoring HTTP traffic to detect and block suspicious login attempts. This is particularly useful to prevent credential stuffing attacks at the application level.
Man-In-The-Middle Attacks
A Man-in-the-Middle (MitM) attack is a sneaky cyber threat in which hackers intercept your network connection to steal sensitive information such as passwords or other personal data.
How it works:
- Interception via fake sites — Hackers use fake websites or servers to insert themselves between you and the real site you want to access.This allows them to hijack your login session, intercept your password and capture session cookies.
- Bypassing authentication — Once hackers have your login details, they can skip the authentication process, including multi-factor authentication (MFA). This allows them to gain unauthorized access to your accounts and sensitive data.
How to avoid it:
- Browse safely — Always look for a padlock icon next to the address bar and ensure the URL begins with “HTTPS” rather than “HTTP.” If these security signs are missing, leave the site immediately to avoid potential risks.
- Use a VPN — A virtual private network (VPN) like ExpressVPN masks your IP address and encrypts your data. It’s like putting a cloak of invisibility over your online activities, making it much harder for hackers to get their hands on your information.
- Use a firewall — Firewalls add an extra layer of protection. They act like a bouncer for your computer, letting you control what comes in and goes out.
Exploitation of Unencrypted Password Sharing
Unencrypted password sharing involves distributing login credentials via insecure methods like email, messaging apps, shared spreadsheets, and physical notes, making them vulnerable to interception and misuse.
How it works:
- Unsecured transmission — Hackers can easily intercept passwords shared via unencrypted emails or text messages. These methods lack the necessary encryption to protect data in transmission, making them vulnerable to cyber attacks.
How to avoid it:
- Invest in a reliable password manager — A reputable password manager like 1Password lets you securely share passwords and sensitive information with other users.
- Use a VPN — Using a reputable VPN will keep your internet connection private and protect your data from interception.
Hacking Your Phone
When a hacker gains access to your mobile device, it can expose sensitive information like banking details, emails, and social media accounts.
How it works:
- Malicious apps — Hackers create apps that look legitimate but are designed to siphon personal information from your device when downloaded or used.
- Fake public Wi-Fi — Cybercriminals set up fake public Wi-Fi networks to lure users and redirect them to malicious websites, where they can steal personal information.
- SIM swap scams — Hackers trick network providers into transferring your phone number to their device, allowing them to intercept calls and messages.
How to avoid it:
- Use a VPN — These tools help protect your passwords and information while you browse the web. This makes it harder for hackers to intercept your information.
- Keep Your OS Updated — Update your phone’s operating system regularly to benefit from the latest security patches that protect against known hacking methods. Norton, for example, can notify you when your operating system is out of date and needs an update.
- Download Apps from Trusted Sources — Only download apps from reputable sources like Google Play or the iOS App Store, and avoid third-party marketplaces that may host malicious apps.
Editors' Note: ExpressVPN and this site are in the same ownership group.
What Happens When Your Passwords Are Stolen?
A stolen password can lead to a variety of serious issues that put your personal and financial information at risk. Here’s what can happen:
- Access to email and social media accounts — Once hackers have your password, they can easily access your email and social media accounts. This can lead to the distribution of spam or malicious content to your contacts and further attempts to gather personal information by digging through your communications and social media history.
- Fraudulent purchases and transfers — If your banking info is linked to compromised accounts, cybercriminals can make unauthorized purchases and transfers before you even know what’s happening.
- Identity theft — Stolen passwords often lead to the theft of personally identifiable information (PII). Hackers can use your PII to open new credit accounts, apply for loans, or even commit crimes in your name, causing long-term damage to your credit and personal reputation.
- Selling information on the dark web — Your stolen information has significant value on the dark web. Hackers can sell your credentials, PII, and financial data to the highest bidder, who can then use this information for a variety of malicious purposes.
How Do I Know If My Passwords Have Been Stolen?
Detecting stolen passwords early can save you a lot of trouble. Here are some signs that your passwords might be compromised:
- Your password isn’t working — If you suddenly can’t log into your account with your usual password, it could be a sign that a hacker has gained access and changed the password to lock you out.
- Slow computer performance — A sudden slowdown in your computer’s performance could indicate that it has been infected with password-stealing malware.
- Security notifications — Financial institutions, employers, and cybersecurity applications often send notifications if your account has been compromised in a data breach. Even if you haven’t noticed any suspicious activity, take these alerts seriously by changing affected passwords and following recommended security practices.
- Weird messages from your accounts — If friends or family report receiving strange messages from your email or social media accounts, it’s likely that a hacker has gained access.
- Fraudulent transactions — Always check your bank statements and other financial records for unusual transactions. If you notice any transactions you don’t recognise, contact your bank or credit card company immediately and change your passwords.
- Ransomware messages — Receiving a ransomware message is a clear sign that your device has been compromised. Hackers can use ransomware to encrypt your files and lock you out of your programs until you pay a ransom.
How Do I Protect Myself From Hackers?
Cybercriminals are constantly changing their tactics, but you can protect yourself by following these key tips and best practices:
- Create strong passwords — A strong password should be at least 12 characters long and contain a random mix of uppercase and lowercase letters, numbers and special characters. Avoid using personal information, such as your name or date of birth, which makes passwords easier to crack. Never reuse passwords across multiple accounts — having unique passwords for all of your accounts can prevent a single breach from compromising multiple accounts.
- Always use secure password sharing — Sharing passwords via unencrypted methods such as email or text messages increases the risk of theft. Instead, use a password manager with a secure sharing tool like 1Password or Dashlane to send encrypted passwords, files, or secure notes to others.
- Turn on 2FA — Two-factor authentication (2FA) adds an extra layer of security to your accounts by requiring a second form of verification, such as a code sent to your phone, in addition to your password. 1Password even alerts you to any 2FA-compatible accounts in your password vault for which you don’t yet have 2FA activated.
- Use a password manager — For all the reasons above, it’s a great idea to invest in a reliable password manager. A password manager increases your security by encrypting and securely storing your passwords and account details. It can generate strong, unique passwords for each of your accounts and enable 2FA, providing both security and convenience. 1Password, for example, includes smart password generation and customizable autofill, so you never have to remember complex passwords.
- Install a reputable antivirus — A good antivirus program like Norton can detect and block malware, phishing attempts, and other cyber threats. It provides an essential layer of protection by regularly scanning your device for vulnerabilities and keeping your system secure from the latest threats.
- Use a VPN on public Wi-Fi networks — Public Wi-Fi is vulnerable to data interception and spoofing. A virtual private network (VPN) like ExpressVPN encrypts your data and routes it through a secure server, protecting your privacy and masking your IP address. This helps to ensure your passwords and personal information remain secure, even on public networks.
Editors' Note: ExpressVPN and this site are in the same ownership group.
Frequently Asked Questions
How do hackers steal passwords with phishing?
Hackers send deceptive emails or messages that look real to trick you into revealing your passwords. They often pretend to be from trusted places like your bank or a popular website. When you click the link or download the attachment, you either end up on a fake login page or with malware on your computer that captures your login details.
Is it safe to enter passwords on public Wi-Fi?
No, it’s not safe to enter passwords on public Wi-Fi. Hackers can intercept data on these networks using man-in-the-middle attacks, allowing them to steal your passwords and other sensitive information. Always use a VPN, or avoid entering passwords on public Wi-Fi altogether.
How do hackers use data breaches to get passwords?
Hackers get passwords through data breaches by stealing large sets of credentials from compromised websites. They then use these stolen passwords in credential-stuffing attacks or sell the data on the dark web. Monitoring your accounts and changing passwords after a breach can help mitigate this risk.