How hackers steal passwords - and ways you can protect yours

From sophisticated programs to simple guesswork, there are many ways hackers steal passwords. No matter how your password lands in the hands of a cybercriminal, a hacked email account can be a real headache with often unforeseen consequences. Discover how to protect yourself from the most common methods of password theft.
Paper with username and password fields on fishhook
Protect yourself from hackers and scammers with a strong, unique password

by Alyssa Schmitt

So that hackers don't stand a chance, take a few minutes to learn about the methods they use to steal passwords – and, most importantly, how you can protect yourself.

Six popular methods of password theft:

  1. Guessing
  2. Automated attacks
  3. Phishing
  4. Malware
  5. Physical spying and theft
  6. Data breaches

 1. Guessing weak passwords

One common way to crack a password is simply to guess it. It’s not even all that hard. That’s because many of us want a password that will be easy to remember, so we often use the names of pets, children or spouses, not to mention dates like wedding anniversaries and numbers such as ZIP codes. The problem is that much of this information can be found on social media or through a quick internet search.

Such passwords are also easy targets for anyone who knows some personal details about you – friends, family members, coworkers… Although it may be as harmless as your kid cracking the Netflix password to get some extra screentime, just think of the damage an angry ex-partner or a disgruntled former colleague could do with your email or social media password.

In many cases, no particular personal knowledge is even needed to guess a password. If you use a weak yet widespread password such as “123456,” “Password,” or “qwerty” you can be fairly certain that it can be cracked quickly by the first person who puts their mind to it.

How do you protect yourself against someone guessing your password?

  • Never use a single term like your child’s name, your favorite sports team, etc. as a password. Unfortunately, it does not make them much safer if you use them in combination with numbers related to your personal information, e.g. your date of birth. In other words, “DenverBroncos” would be considered an easily guessed password, as would “Emma2010”. If you decide to use names or other personal information in your password, string together several terms and add numbers and special characters, e.g. “Duchess-is-dog-number-1”
  • Try not to share too much personal information publicly on social media – use the privacy settings to keep personal channels from being viewable by strangers. Not only does putting too much information out there make your passwords easier to guess, but it can make you a target for spear phishing, romance scams, identity theft, etc.
  • Never, ever use a common, weak password like “Password123”

  2. Dictionary and brute force attacks

Cybercriminals use algorithms that systematically test all kinds of number and letter combinations to hack passwords. It's all about trial and error – but on a grand scale. This is not a case of a hacker sitting in front of a computer and painstakingly typing in one word after another – if that was necessary, a lot of time and luck would be needed to actually land in an account. Instead, special automated hacking programs in conjunction with very powerful computers are used to enter thousands of potential passwords per second.

In a dictionary attack, dictionaries such as Merriam-Webster or Oxford are used by hackers as “password lists.” After all, dictionaries contain thousands of words that people use as passwords. So they can be used to try out as many passwords as possible, as quickly as possible.

Similarly, in a brute force attack, the hacking program simply tries out as many random character combinations as possible in as short a time as possible. Studies have shown that with this method, it takes just 0.03 seconds to crack a password with five characters (three letters, two numbers).

How do you protect yourself against automated password attacks?

  • Never use a single word that can be found in the dictionary as your password. If you prefer to use “real” words instead of random strings of letters and numbers because they are easier to remember, be sure to use more than one word, mix in some special characters and numbers, and alternate between lowercase and uppercase letters.
  • In addition to containing the abovementioned mix of characters, your password should be at least 12 characters long. Whereas a five-character password can be cracked in the blink of an eye, current brute-force methods could take thousands of years to discover a password consisting of more than 12 mixed characters. 
  • For example, “Mom38” or “Mother” could be easily cracked in an automated hacking attack, whereas a long, multi-term passphrase like “MomBaked500Cookies!” would be considered secure.

3. Phishing for passwords

Phishing is one of the most common ways that hackers gain access to other people’s login data. Phishing emails often contain links that lead to fake websites designed to trick you into entering your password. This works by imitating a message from a trusted sender, like your bank, a parcel service, or a well-known online retailer. The types of phishing tricks used by scammers are too numerous to list, but what they generally have in common is that they create a sense of urgency that immediate action is required on your part. For example, they might claim that a payment is overdue, so you need to log in to the website to correct the error or you will have to pay a late fee.

In other cases, phishing mails contain attachments infected with malware that can be used to spy out your passwords, as explained below.

How do you protect yourself from password phishing?

  • As a general rule, you should not click on links in emails and enter your login or other personal information if requested in an unsolicited email. If you think there could be a legitimate problem you need to handle, go to the company website in your browser by typing in the web address yourself or using a bookmark, and log in there.
  • When you receive an email, hover over the sender name with your mouse and make sure the displayed name matches the email address that is shown.
  • Hover over any links listed in the email (without clicking on them!) and make sure they are going to the actual site claimed. Pay special attention to small spelling errors in the domain, e.g. “amazoon” instead of “amazon.”
More on this topic:
Need a detailed refresher on phishing? Check out our explainer: Phishing emails: How to protect yourself

4. Malware on your computer

Hackers can also make use of malware to spy on you when you type in your passwords and other login details. With the help of a kind of spyware known as a keylogger program, you are tracked while typing on the infected device. By recording your keystrokes, the hacker can steal your passwords and other sensitive data and use it to access your accounts, including email, social media and online banking.

Sounds scary, right? And how does this malware get into your device in the first place? There are several possibilities. As we explained earlier, scammers might place links in phishing emails or on fake websites that trigger a malware download if you click on the link. Sometimes malware can also be hidden in a program that you download voluntarily, e.g. you download software online that turns out not to be as trustworthy as you thought.

How do you protect yourself against spyware?

As a general rule, you should always exercise caution on the internet! Always think twice before opening websites or using applications recommended to you by strangers or unknown sources on the internet. In addition:
  • When you see a website address listed in a link, a search results page, etc., make sure the address starts with “https”. The “s” means that any information, like passwords, that you enter on that site is protected by SSL encryption.  
  • If you want to download software from the internet, only download from reputable and official sources, e.g. the manufacturer’s website or the official app stores.
  • Make sure that you have good, up-to-date antivirus software on your computer.

 5. Physical theft and spying (shoulder surfing)

We have all been told to make sure that no one sees us entering our debit card PIN, but the same applies to your passwords. When you are working on your laptop in a café or on the subway, anyone could be watching over your shoulder as you login into an online account.  The process of spying out passwords in public is common enough to have its own name – “shoulder surfing.”

Writing passwords on a Post-it stuck to your screen or keyboard also opens you up to password theft. And the same applies to saving your passwords in the web browser of a shared or public computer.

How do you protect yourself against shoulder surfing?

  • When in public, be alert when entering your PINs, passwords, and codes. Make sure no one has a view of the keyboard or keypad.
  • If your passwords are so complicated that you can’t remember them without writing them down, maybe it’s time to follow our advice for creating secure, easy-to-remember passwords? Or you could consider using a password manager.
  • If you do write down passwords, keep your list in a secure location like a locked drawer rather than lying openly on your desk.

6. Passwords leaked in data breaches

It seems like at least once a year there’s a report of a major data breach in which a large company loses the passwords, logins and other personal data of its customers. Hackers break into corporate databases and servers to steal this information to use in scams or sell on the Dark Web to identity thieves and other cybercriminals.

How can you protect yourself in case of a data breach?

  • Even if you don’t know you’ve been affected by a data breach, the fact that they keep happening should be a wake-up call to us all: Use a different password for each and every online account! Unique passwords help prevent hackers from gaining access to multiple accounts after a data breach.
  • Change your passwords immediately if you realize you have an account with a company that suffered a data breach.
  • Keep in mind that not all data breaches are reported in the press. You can perform an immediate check of your email addresses at
    Again, if you find out your email was included in a data breach, change your passwords immediately.
Pro tip: Do you suspect that your email has been hacked? Read our explainer to find out what steps you should take: Has my inbox been hacked?

Why not take some time today to make sure your passwords are safe? And if you still don't have a account, you can create your free email address here.

Images: 1&1/Shutterstock

322 people found this article helpful.

Related articles

What to do if you click on a phishing link

Are security questions secure? Not really – here’s why

Ask the expert: How to protect yourself from spam and phishing