How Passwords Get Stolen (and 10 Simple Steps to Keeping Them Safe)

Written by Trifo 0 Comments
“RockYou2021: largest password compilation of all time leaked online with 8.4 billion entries”

“Police found 225 million stolen passwords hidden on a hacked cloud server”


These headlines are unfortunately nothing new. The dangers of having your password leaked/stolen are now well-known. Tech wizards have been developing and testing tools that will eventually replace the use of passwords, but the transition isn't expected to be fully implemented anytime soon.

The majority of websites and apps don’t allow authentication through biometrical data, meaning us users are still limited to use the humble password. The reality is that many people still don’t use password managers and reuse the same password across multiple websites and applications, including crucial ones like online banking.

This means that taking precautions to protect your passwords (again, unless you use a password manager) is nothing less than imperative if you want to protect your assets.

Before we go there, though, perhaps it’s best to take a look at how data leaks/thefts happen, as understanding the process may play a big role in preventing it.

How Passwords are Hacked and Stolen 

Guessing - the simplest method

In 2020, three of the most common passwords in use were found to be "123456," "123456789," and "password". When searched using the tools available at HaveIBeenPwned (definitely worth a visit), it was found that these passwords showed up tens of millions of times during scans of breached data. Here are the reporting results as of January, 2022:
  • 123456 - 37,359,195 appearances
  • 123456789 - 16,629,796 appearances
  • password - 9,545,824 appearances
Although criminals have tools at their disposal that allow them to rapidly and randomly produce and test potential passwords, the need for those tools is greatly reduced when passwords like these are so commonly used. Hackers can simply try some of the most common passwords which, in some cases, will allow them to successfully access user accounts with very little effort (this is also known as a “dictionary attack”)

Phishing and other social engineering attack variants

Cybercriminals often directly contact their targets by phone (vishing), email (phishing), text messaging (smishing), or through social media accounts. In these attacks, scammers typically impersonate others to convince their victims to provide sensitive information like login credentials.

They may claim to represent companies with which their targets have done business. They often impersonate government officials including law enforcement personnel, tax agents, and Social Security Administration employees. Sometimes they claim to be calling on behalf of their targets' family members or friends.

These criminals will try and convey a sense of urgency, perhaps even threatening their targets with arrest or loss of access to benefits, if they fail to act immediately by providing the information they request.

Brute force and stuffing attacks

As mentioned, hackers do have tools available that can quickly generate random passwords and test them to determine whether they will provide access to targeted accounts. Stuffing, which is a variation of brute-forcing, involves the use of previously stolen credentials exposed in breaches and available to criminals via the Dark Web.

These credentials are loaded into applications that rapidly test them against huge numbers of sites hoping to find matches and gain access. There are hundreds of millions of these types of attacks logged annually.

Credential-stealing malware

Your devices can be infected with credential-stealing malware when you click on malicious links in phishing emails, open infected email attachments, accidentally visit an attacker's website, or install an app that didn't come from a reputable source.

Apps and functions that steal credentials could actually be keyloggers, malware packages that record not just your passwords but all of your keystrokes and then transmit them to the bad actor.

Credential-stealing malware can also be built into sites designed to look like those of reputable entities. For example, an attacker may send a phishing message claiming that suspicious activity has been observed in the target's bank account and that the target must log into his or her account to change the password immediately.

The victim clicks a link in the message and is taken to a legitimate-looking bank site where he or she is instructed to enter login credentials to begin the password reset process. Doing so provides the attacker with the victim's bank account credentials.

Some malicious look-a-like sites are created in the hope that random individuals will inadvertently land on them and be scammed out of their usernames and passwords.

Shoulder surfing and man-in-the-middle attacks

The term "shoulder surfing" describes the tactic of looking over someone's shoulder to observe what's on their computer or device display and trying to discover passwords or other sensitive information.

The high-tech version of this is a man-in-the-middle attack. Public Wi-Fi networks are often frequented by attackers who use readily available tools to monitor network traffic and steal sensitive data, including account login credentials, from those using the networks.

Sometimes cybercriminals will create their own public Wi-Fi networks designed to appear as if they are those of legitimate businesses, the sole purpose being to steal user data. Public Wi-Fi networks are inherently unsafe.

How to Protect My Passwords from Hacking in 10 Simple Steps

Following are the strategies you can easily implement to protect your passwords, your accounts, and your sensitive information:
  • A basic rule of thumb: Get a password manager/vault. These are applications specially designed to keep your password safe. With them, all you’ll have to do is just remember one master password (still following the rules below!)
  • Don't include real words. If possible, make up your own words that would be unlikely to get “guessed” (e.g. “Radamabla”)
  • Don’t use birthdays and other easily identifiable data about yourself (e.g. last name)
  • Don't use weak (simplistic) passwords. Your passwords should be lengthy, complex, and include upper and lower-case letters, numbers, and special characters.
  • Use a different password for each of your accounts. If one account is compromised, other accounts will not be in jeopardy due to their usage of the same credential (especially do not repeat passwords on email accounts and financial accounts)
  • Use a 2FA (two-factor authentication) wherever it is available. This adds another component to the login process. In most cases, it's a PIN that is sent to your device via text or email. If an attacker is able to steal your login credentials, they will still be unable to complete the login without this additional factor.
  • Unless you are sure that you can trust the source of an email, text, or social media message and especially if there is something unusual or suspicious about the message, you should avoid opening any attachments or clicking any included links.
  • When you visit websites, make sure they are using HTTPS. A locked padlock should display to the left of the site's URL at the top of your browser indicating the use of this security protocol. Some criminals have now begun using HTTPS on their sites so this method isn't 100% effective in protecting your information from scammers, but following this recommendation will help you to avoid malicious sites.
  • Make sure that the operating systems on your devices are up to date and are set to download and install updates automatically. Also, make sure all of your devices are running anti-malware/antivirus applications.
  • Avoid using public Wi-Fi unless your device is also equipped with a virtual private network (VPN) app and that app is in use. VPNs encrypt the data traveling to and from your device. Even if it is intercepted by a bad actor, the data cannot be decoded and read. If you don't have a VPN and you must use public Wi-Fi, avoid logging into any accounts or sending any sensitive information via messaging services.

Final thoughts

For more than ten years, tech publications have been forecasting the end of the password, but it's still here.

In fact, the number of passwords in use continues to rise, as does the number of attackers out there who are actively trying to steal them. Password protection should be taken seriously, so go ahead and implement as many of these tips as you can.

You might also like...

About the Author

Trifo works in customer support at Kualo. He's a ninja at working with popular open source applications like WordPress, Joomla and Drupal to name a few. Fun fact, Trifo recently became a father!