How Do Passwords Get Hacked?

Editor’s note: In recognition of National Cybersecurity Awareness Month this October, we are publishing a series of blog posts dedicated to educating and informing you about cybersecurity practices. This is the 12th in a series of posts. Below, you can find a list of links to the rest of the series:

You’ve no doubt heard about a friend, family member or co-worker getting hacked, whether it’s their social media profile, money transfer app (like Venmo, PayPal or Zelle) or some other account.

You may have even been the victim yourself.

We all know what getting hacked means, but how does it happen?

Bad actors use a variety of tactics to steal passwords. Some are as simple as guessing your password with trial and error, and others are a bit more complicated, using programs to track your keystrokes.

Most Common Way Hackers Get Your Password

The most common way hackers obtain your password is not by directly targeting you or your organization but rather from other hackers who already have stolen the data and published it.

When a data breach occurs at major companies like Microsoft, Yahoo or LinkedIn, username and password combinations are leaked onto the dark web.

Hacker groups collect millions of these credentials and utilize them in their attack scripts. This gives them a significant advantage, as many people either don’t change their passwords or make only minor changes, making it easier for hackers to gain unauthorized access.

Other Password-hacking Methods

If a list of stolen passwords doesn’t work, these are some of the ways attackers steal your credentials.

Brute force attacks: A method that uses trial and error to guess passwords and login credentials. These attacks often are carried out by scripts or bots that target a website’s login page.
Credential stuffing: Because people tend to use the same password for multiple accounts, attackers will use stolen credentials to attempt to gain access to other accounts.
Dictionary attacks: A type of brute force attack in which attackers try to guess a password by entering every word in the dictionary (sometimes replacing letters with alphanumeric replacements) or using a leaked list of commonly used passwords.
Keylogging: This attack uses a program to track a user’s keyboard strokes to steal PINs, credit card numbers, usernames, passwords and more.
Password spraying: A type of brute force attack in which the attackers use a single password or many common passwords to gain unauthorized access.
Phishing: These attacks trick users into sharing their credentials with hackers impersonating legitimate institutions and vendors.

Real-world Example

In real-world scenarios, attackers often combine various password attack strategies to maximize their chances of breaching multiple accounts and accessing sensitive information. Here’s an example of how such a combined attack might unfold:

An attacker sends a phishing email that looks like a legitimate request from the IT department, asking the user to log in to a fake company portal. When the user enters their credentials, the attacker captures them and uses these to log in to other systems (credential stuffing).
Simultaneously, the attacker deploys a keylogger via malware to the user’s device, capturing additional login credentials and sensitive information. The attacker uses brute force and dictionary attacks to attempt to break into more accounts using the usernames and passwords they have harvested.
Meanwhile, the attacker also tries common passwords against various accounts within the organization (password spraying), exploiting the fact that many users often use simple or reused passwords.

“There are many ways to improve security and reduce the chances of falling victim to an attack, but we find the biggest impact with the least amount of investment is to take phishing training seriously.”

This multi-faceted approach increases the attacker’s chances of successfully breaching multiple accounts and gaining extensive access to the organization’s systems and data.

Protection Strategies

Attackers combine various methods to create a more robust and potentially more successful attack strategy, leveraging the strengths and exploiting the weaknesses associated with each method.

Organizations need to employ comprehensive security measures to defend against such complex attacks.

Here are some key practices to protect yourself and your organization:

Use strong, unique passwords: Ensure all devices and accounts have strong passwords and avoid reusing the same password across multiple accounts.
Be skeptical of links and attachments: Always be cautious of unexpected links and attachments, even if they appear to come from trusted sources.
Shield sensitive information: Protect paperwork, device screens, and keypads from prying eyes to prevent shoulder surfing.
Avoid public Wi-Fi: Avoid accessing personal and financial data with public Wi-Fi; better yet, avoid public Wi-Fi if at all possible.
Install security software: Install antivirus and antimalware software on all devices and utilize detection and response security tools.

There are many ways to improve security and reduce the chances of falling victim to an attack, but we find the biggest impact with the least amount of investment is to take phishing training seriously.

The path of least resistance is tricking one employee rather than trying to bypass several security tools. Therefore, your organization’s security posture is only as strong as its weakest employee.

You should encourage your organization to invest in regular phishing training if it’s not already implemented.

Remember, all it takes is one click on a malicious link to severely cripple your organization. By staying vigilant and informed, you can significantly reduce the risk of falling victim to these sophisticated attack strategies.