How Do Hackers Steal Passwords?

You often hear about cyberattacks that utilized stolen credentials to gain access to business networks, but how do hackers steal passwords? In this article, we explain the most common methods used by hackers to steal passwords and provide some tips that will help you keep your passwords safe.

Hackers ask what your password is

The easiest way to obtain a password is to ask someone what it is. They are unlikely to tell you, but it is the most common way for passwords to be obtained. The technique hackers use is called phishing, where they send an email with a link to a website that mimics a trusted brand – Microsoft for example. The website is an exact copy of the genuine site that it spoofs and when login credentials are entered, they are recorded by the hacker. Phishing attacks can take place via social media sites, text messages, instant messenger services, and also over the phone.

Phishing uses social engineering tactics and a wide variety of lures to trick people into believing the request is genuine, although there are ways to avoid falling victim to these attacks. A good spam filter will block most emails, and you should always exercise caution when asked to click a link in an email, text message, or social media post. With emails, you can hover the mouse arrow over any link to find the true destination URL and you should always check the URL of a web page carefully to make sure the website you are on is legitimate.

Brute force attacks

A brute force attack involves trying many different passwords until the correct one is guessed. These attacks are automated, and it does not take long to try huge numbers of passwords. Hackers often conduct attacks using tens or even hundreds of IP addresses and use lists of common passwords. These attacks exploit the use of default and weak passwords such as password and 12345678, as well as dictionary words, the names of sports teams, etc. It is also possible to hack into accounts using information known about an individual or gleaned from social media websites. People often use the name of a spouse, pet, child, or birthdate as their password. Don’t make it easy for hackers. Do not use personal information in passwords and set passwords longer than 8 characters, including upper and lower case letters, at least 1 number, and ideally a special character.

Credential stuffing attacks

The success rate can be increased in a type of brute force attack called credential stuffing, which requires a special mention. These attacks use lists of passwords that have been obtained in past data breaches and they work because many people use the same password for multiple accounts. If there is a data breach on one platform, the password used for that site could provide access to many other accounts.

You should also ensure a unique password is set for each account. You can use a password manager to help you generate strong passwords, and these solutions will mean those passwords do not need to be remembered. Some password managers can be used for free. Bitwarden for example has a good free version of its password manager.


Malware is commonly used to obtain passwords. If a user can be tricked into downloading malware onto their device, the malware can obtain passwords stored in browsers (even if the browser encrypts those passwords), or log keystrokes to capture passwords as they are entered. Malware can be delivered via phishing emails with the malware attached directly, or more commonly using attachments with malicious scripts that trigger a malware download. Malware can also be bundled with software, especially pirated software and apps downloaded from unofficial app stores.

To prevent malware from being installed, make sure you use antivirus software – even free versions such as AVG and Avast – and ensure the solution is set to update automatically. Never download apps from unofficial app stores, exercise caution when opening email attachments, and ensure they are scanned by your AV solution before opening. Naturally, avoid pirated software, software cracks, and illegitimate product activators.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of