How Do Hackers Get Passwords?

In every movie with a hacker, there is always that scene where the hacker must guess the right password. A blinking cursor in the password field looms on a large computer monitor. The hacker is usually under a lot of pressure, with the seconds counting down. They make one or two wrong guesses, before finally typing the right password, and presto! They’re in. Now they can launch the missile, or stop the missile from launching, or steal all the evidence that will incriminate the crime boss.

From what we see in movies and pop culture, you would think that “hacking” is a matter of guessing a few passwords and instantly gaining access to something. You would also think that it’s usually a solo hacker targeting a specific person for a specific reason – perhaps because their target is a millionaire or the CIO of a large company.

But what you see on the big screen is pretty far from the truth about how hackers get passwords and how they use them.

How do hackers hack passwords?

When hackers are trying to get passwords, they don’t guess them one by one in a password field. Instead, they have a toolbox of software programs and databases to help them figure out credentials that might work.

First, most passwords that hackers have access to are stolen in large data breaches from popular online services. When popular services like LinkedIn, eBay, and Adobe have millions of records leaked, the passwords stolen in those breaches are compiled in large databases. Less well-known websites are also regularly hacked due to poor security protocols. So, what do hackers do? They use these “dumps” of data to perform “credential stuffing”, where they use software (or “bots”) to automatically test every username and password combination in the database to see if any successfully log on to another website (like a bank).

Or, if a hacker knows an email address for a user’s account, they can use “password spraying” where they test known passwords (like 12345 and asdf) to see if any work with that particular email address. Again, bots are running these tests, and only if a match is found does a hacker then use the valid credentials to try taking over the account.

According to Akamai, there are at least 280 million malicious login attempts per day, including 300,000 attempted logins per hour from a single botnet.

And let’s not forget phishing. With large databases full of email addresses, it’s very easy for hackers to send millions of emails every day. Oftentimes, these emails impersonate legitimate services, like banks, and trick people into giving away personal information. The person might click in the email and be sent to a login page that looks legitimate, but actually just harvests their credentials for the hacker to use.

How do hackers get into my computer?

It’s much less likely (though still possible) that hackers will actually hack into your computer. It’s much easier for them to use credential stuffing, password spraying, and phishing to try to find valid credentials to take over an online account.

But there are other ways hackers can try to steal your information. Sometimes phishing emails contain malicious software, or malware, either in attachments or in embedded links. By downloading the malware to their computer, people increase the likelihood of having a keylogger installed that can then capture their passwords and send it to a hacker. Or, people might download ransomware that allows hackers to extort you for money or information in order to get your data back.

If someone has access to your physical device, at home or in the office, it’s also possible someone could try logging in directly on your machine. If you have your passwords written down in an easy-to-get-to place, a hacker might not have any trouble breaking into your computer. That said, the risk is very low, and is more likely to be someone you know personally rather than a stranger.

How can I keep hackers out of my accounts?

Most of us aren’t very attractive targets for hackers – we likely aren’t millionaires, or hold high-profile corporate positions, or serve as top government officials. But, hackers love the “low-hanging fruit” – they’ll often steal what is easiest to take. That’s why credential stuffing and password spraying are so popular; they can be easily and cheaply automated so that hackers increase their chances of finding money or more data to steal that they can sell on the dark web.

Now that we’ve demystified password hacking, you’ll see that simple actions can help significantly reduce your risk of being a hacking victim.

First, don’t reuse passwords. A password manager can help you generate unique passwords for every single account (and gives you a convenient place to store them). That way, a password stolen in a data breach for one website won’t automatically give a hacker access to your other online accounts.

Second, add multifactor authentication where you can. If a hacker manages to obtain your username and password, MFA requires additional login information that the hacker is very unlikely to have access to.

Three, be aware. If a service you use tells you about a data breach, update your password. Enroll in dark web monitoring so you are aware of any data leaked online and can respond appropriately.

With just a few simple steps, you’ll drastically lower your chance of having a hacker get your passwords or hack into your computer. When you’re no longer an easy target, hackers are much more likely to give up trying to hack you. You’ll better protect your sensitive information, your finances, and your identity from theft and fraud.