12 ways how attackers crack your password

Post hero image

Table of contents

See Hoxhunt in action
Drastically improve your security awareness & phishing training metrics while automating the training lifecycle.
Get a Demo
Updated
August 28, 2024
Written by
Maxime Cartier
Fact checked by

Have you ever received an email telling you that someone from a different location tried to log in to your account?If you did, you should be concerned because someone got a hold of your password.You’ve probably wondered how that could happen. There are several possibilities. We’ve collected 12 ways of how hackers snatch passwords.At the end of this post, we will give you a few tips on how to keep your passwords safe.

1. Phishing

Phishing is one of the most typical ways how attackers succeed in getting your password. They usually email their targets using a variety of tactics to get people to give up their passwords. Maybe they tell you that there has been a data breach, and you need to change your password to remain safe. Then a link takes you to a fake website that is used to steal your login credentials after filling them out. The email could also be camouflaged as a routine password change email from commonly used services.If you are interested in how attackers use phishing to steal passwords, we’ve written a blog around phishing where you will find more detailed information.

2. Social engineering

Social engineering is a popular method for stealing a password. Attackers typically impersonate someone in an email, like IT support or a service vendor, and will urge you to change your password immediately.They could also use USB drop attacks, leaving USB sticks at strategic locations hoping that you would plug them into your computer to spread malware to get backdoor access to the IT infrastructure.We’ve created an incredible mini-challenge on USB drop attacks. Learn more about how we educate users on the dangers of unknown devices.

3. Malware

Attackers use malware like keyloggers or screen scrapers to steal your data. Keyloggers record a user’s activity. Screen scrapers are designed to follow everything you do on your display. There’s also malware that will scan through the computer to find password dictionaries or passwords saved to browsers.

4. Brute force attack

When hackers use a brute force attack, they submit many passwords or passphrases to try and guess the password correctly. They check all possible variations until the correct one is found. Attackers may also do exhaustive key research to guess the key that is typically created from the password using a key derivation function.Brute force attacks work well when the target uses simple passwords. The table below shows how long it takes a hacker to brute force your password. The longer and more complicated your password is, the harder it gets to guess it.

how long it takes to hack a password

5. Dictionary attack

A dictionary attack is a brute force technique. Dictionary attacks usually use an actual dictionary, a list of words, phrases, or numbers that an attacker thinks the password could contain. Hackers may work with commonly used password lists, popular names, pet names, and other common words.

6. Keystroke logging

Keystroke logging software is one of the oldest forms of malware. Attackers still use it today. Keyloggers record the user's keystrokes, like the information you type into a website form or an application. The software then sends this information to a third party.Attackers use keyloggers to steal passwords and personal or financial information, such as banking details. This information is often sold.

7. Mask attack

When attackers know part of the password, a mask attack is an excellent tool to move forward. When they know that the password consists of 12 characters and ends with ‘12345’, then they only need to guess the first 7 characters. The password mask is used for setting a rule to try to recover the password.

8. Rainbow table attack

When hackers use the rainbow table attack, they use a rainbow hash table to crack stored passwords. A rainbow table is used in cryptography as a hash function to store important data such as passwords.

9. Network analyzer

Attackers use network analyzers to hack passwords when they gain physical access to your computer. Or, with access to your premises and physical network, they can manage to join your wireless network. If the internet traffic is not going through a VPN, SSH, SSL, or other encryption forms, your passwords and data will be vulnerable to be breached.

10. Spidering

Spidering is very similar to phishing. When social engineers use spidering, they try to get to know the targets and try to figure out their credentials based on their digital footprint. Social engineers then build a list of possible combinations that they use for a brute force attack.

11. Offline cracking

Social engineers don’t always need the internet to steal your information. It is sufficient for them to leave your computer unattended in a public place or when you leave passwords on sticky notes lying around on your desk.

12. Shoulder surfing

Shoulder surfing is used by attackers to discover passwords or other sensitive information by looking over your shoulder at what’s displayed on your screen or at what you’re typing. Many people use their personal or work devices in public spaces where someone can easily look over your shoulder.

How to prevent attackers from stealing your password?

There are several ways for you to make it more challenging for attackers to snatch your passwords.

Use strong passwords

Start with using strong passwords that are at least 13 characters long or preferably even longer. It would be best if you used a combination of numbers, uppercase and lowercase letters, and symbols. A strong password can decrease the ease of being hacked from within seconds or hours to months or millions of years.To create a strong password, we recommend using one of the many password generators available.

Use a password manager

With a good password manager, you can safely store passwords. This is especially handy when your passwords get more advanced and harder or impossible to remember or when you use unique passwords for each website and service.Password managers often come with password generators. They are convenient because you can simply copy-paste passwords from your digital safe to your login.It’s always safer to store passwords with a password manager than with web browsers, computer files, or sticky notes.

Use two-factor authentication

Two-factor authentication always requires a second form of identification. When you try to log in to an account, you must first enter your username and password. Then you will need to provide a second form of proof (such as a code that comes to your phone) that you are the account owner before you can access it. This way, you have an added layer of security.

Be critical of emails you received

Be critical of the emails that you receive. Social engineers make emails look as realistic as possible and they often invoke different emotions (e.g. fear or curiosity) to trick you. Think twice when you receive an email that asks for sensitive information or includes attachments. You can find some more tips here on how to spot phishing.

Don’t store your passwords in the web browser

When your device is infected with malware, hackers can access the passwords you save in your web browsers. Or when hackers take control of your device over the internet or physically, they will be able to log in on every page where you have stored your password. Instead, you should use a password manager to store your passwords.

Don’t store your passwords on sticky notes

Passwords that are written down on sticky notes are accessible to anyone who sees them lying around. To avoid anyone from snatching passwords, you should only keep them to yourself or store them somewhere safer like in a password manager.

Use a VPN or other forms of encryption

Use a VPN or other encryption form to prevent hackers from gaining access to your device through the network you use. Another benefit of VPNs is privacy. You can’t be monitored as well with a VPN and you won’t have to worry about personal advertisements.

Make sure that unknown people don’t get access to your premises

By protecting your premises or only granting access to those who need it, you can prevent hackers from accessing physical devices—preventing offline cracking as a result.

Use screen protectors

Screen surfing will become a lot more challenging for attackers when you use screen protectors. They are built so that people can’t see what’s displayed on your screen from certain angles. This is especially useful in public spaces.

Are your passwords secure enough?

After reading this article, you may be wondering: are my passwords secure enough? In case you are hesitant to answer it, you should probably update your passwords.This is also a good time to start using a password manager if you’re not yet using one – it will literally make your life easier.

Read more about secure sign-in

Want to learn more?
Be sure to check out these articles recommended by the author:
Get more cybersecurity insights like this