3 of the most common ways hackers steal passwords

You may have asked yourself, “Is this really how criminals figure out people’s passwords?” The short answer is no. But hackers do have some tried-and-tested ways to obtain passwords. In fact, almost half of all data breaches involve stolen credentials.

Here, we’ll explain the most common techniques hackers use, and what you can do to protect yourself.

1. Social engineering and phishing

Social engineering is a form of manipulation. Attackers trick people into sharing their passwords, payment details, or other sensitive information by posing as someone trustworthy or authoritative. Criminals will use this tactic over the phone, in an email or text message, or a DM on social media – anywhere that you could feasibly be contacted by the person or company they’re posing as.

To save time and money, hackers will often target people en masse using contact information that’s been leaked in previous data breaches and compiled in large databases. These details let them cast a large net and “phish” for more information by sending hundreds, thousands, or possibly millions of fake emails or text messages each day, or making a similar number of scam phone calls.

If they send a phony email or text message, they’ll often urge you to open a malicious link.

A criminal may pose as the IT department, a customer service representative, support agent, or even a potential romantic interest. If they send a phony email or text message, they’ll often urge you to open a malicious link. This could lead to a seemingly authentic site that’s designed to trick you into entering your username or password, which then gives the attacker what they need to access your real account. Or, they might call and try to persuade you to say your username and password or some other private data out loud.

Sometimes, a criminal will target a large company or service, rather than individual customers. They’ll use similar techniques to fool an employee into providing access to internal resources that contain passwords or other private data. Regardless of their story or angle, the attacker’s goal is to trick a person into providing account credentials or other confidential information.

2. Password leaks and credential stuffing

Hackers rarely sit at their computers and laboriously try different passwords to break into someone’s account. Why? Because it’s time consuming, and most services will lock them out after a few unsuccessful login attempts.

Instead, they’ll try passwords that have already leaked online. Imagine that account credentials for the fictional site crescentmoonbagels.com leaked online, including a user called John Dough. Most people use the same password for everything, so cybercriminals know there’s a good chance that John Dough’s leaked password can also be used to access his other online accounts.

Criminals will use various tools to comb through databases of leaked passwords and check if any of the credentials can be used to access other accounts. This technique is called credential stuffing, and is far more effective than simply guessing random passwords.

3. Dictionary attacks and cracking hashed passwords

A dictionary attack is an attempt to crack a password-protected account, device, or network by testing common words, phrases, or previously leaked-passwords from a predefined list. Rather than try every possible password combination, like A A A , A A B , and so on, criminals will focus on a subset of solutions that they think will have a higher chance of success.

These lists could include words from the dictionary, passwords that have leaked in the past, or combinations tailored for a specific organization or region. For example, if a criminal was trying to break into an account owned by someone in Manhattan, they might focus on passwords that include New York references.

An attacker could use a dictionary attack to enter possible passwords in a login field. But this is unlikely, because as we’ve already established, most websites and apps will lock you out after a few unsuccessful login attempts.

A criminal could use a dictionary attack to run popular and predictable passwords through commonly used hashing algorithms.

Instead, an attacker will often use a dictionary attack to crack leaked passwords that have been hashed.

When you create a new online account, the app or website’s creator will often protect your password by hashing it. That means each login credential has been run through a one-way algorithm. For example, the password 1 2 3 4 5 could be hashed into something like 8 2 7 c c b 0 e e a 8 a 7 0 6 c 4 c 3 4 a 1 6 8 9 1 f 8 4 e 7 b . If a company hashed their users passwords, and a criminal were to somehow break into their servers, they would find a database of gibberish rather than usable passwords.

It’s difficult but sometimes possible for criminals to crack a hashed password. For example, a hacker could use a dictionary attack to run popular and predictable passwords through commonly used hashing algorithms, and see if the hashed result is in their leaked database. There are even “lookup tables” that contain common passwords and their hashed results, so hackers can simply check if any of the hashed passwords in the lookup table match the ones they’ve managed to obtain via a data breach.

Other possible hacker techniques

We’ve covered the most common tactics, but there are other ways that a hacker could try to steal your passwords and other private information.

• Malware. Attackers create and deploy malware for different purposes, like locking up systems or destroying specific files. In theory, a criminal could create “keylogging” malware that’s able to track what you type on a keyboard and steal your usernames and passwords.

• Shoulder surfing. An opportunistic criminal could try looking over your shoulder to steal a glance at your company login credentials, or a security code sent to your phone via text. This is unlikely, however, because an attacker would have to spend time and money traveling to your location.

• Extortion. Criminals will sometimes use extortion to blackmail people into giving them information. These messages might claim to have sensitive information or content that they threaten to forward to friends, family, or coworkers unless you give them what they ask. Attackers are usually after a cash or cryptocurrency payment in these scenarios, but they could theoretically ask for a valuable account password instead.

How a password manager keeps you safe

Hackers have many tricks and techniques to try to crack your account. But with a password manager like 1Password, you can stay one step ahead and protect everything that’s important in your digital life, including your passwords.

Create strong, unique usernames and passwords

A password manager will help you create random, unique usernames and passwords for all your online accounts. Having strong credentials for each account protects them from brute-force attacks and ensures that an attacker can’t use a leaked set of your logins to access any other accounts in your name.

Avoid fraudulent login fields

When you create or update a password with a password manager, the website URL will be saved alongside your account credentials. That way, the password manager knows when and where to autofill your login information.

Now, imagine that you accidentally clicked on a malicious link, or visited a scam website designed to steal your information. You would immediately notice that your password manager wasn’t offering to autofill your password because the URL doesn’t match. This would push you to take a closer look, realize that you’re on a fake site, and then close the tab before entering your password.

Use two-factor authentication (2FA)

You should turn on two-factor authentication (2FA) everywhere it’s offered to add a second layer of security to your accounts. Why? Let’s say you fall for a social engineering attack and reveal the username and password for one of your online accounts. With 2FA enabled, the attacker wouldn’t be able to log in to the account unless they also had access to the place where you retrieve your one-time codes.

You can use 1Password as an authenticator for sites and apps that support 2FA. That means you don’t have to waste time opening your email or a standalone authentication app to sign in to your online accounts. 1Password will also autofill these codes in any browser, saving you precious time each day.

Know when you need to update your passwords

1Password’s Watchtower will flag any weak or reused passwords that are currently saved in your vaults, and prompt you to change them to something strong and unique. In addition, Watchtower will let you know if any of your accounts show up in a known data breach, giving you the chance to update the affected passwords before an attacker can exploit them.

Other ways to protect yourself

Here are a couple of other tips to protect your passwords:

• Stay alert. If you suspect you’re being targeted, pause for a moment and assess the situation. Do you recognize the sender of the email? Would your bank ever ask for your private information over the phone? If it sounds too good to be true, trust your gut and check that the phone call, email, or text message is authentic.

• Keep everything updated. Keep your devices and software updated to ensure you have the most recent security features or additions. If automatic updates are an option, turn them on.

• Check alerts about unusual sign-in attempts. Many services will send you an email or push notification if they detect a suspicious sign-in attempt. Opening the alert on a trusted device will usually give you the option to block the attack, keeping your account and the associated data secure. You’ll then be able to change the account password before the attacker can try to gain access again.

The bottom line

Keeping your passwords and other private information safe doesn’t need to be complicated. If you stay alert and use a password manager like 1Password, you can protect everything in your digital life without any fear or stress.

1Password