Hackers & Passwords: How Do They Get Them?

And what you can do so that your passwords don't fall into the wrong hands...

login screen

You may be wondering how hackers manage to get inside other people’s accounts. Well, in this article, we’ll explore the different ways they manage to do that and, you may be surprised, just how some of these techniques require little to no technical expertise. Let’s get started, shall we?

Data breaches

A data breach presumes a hacker or a group of hackers breaking into the corporate or government network and getting all the data they can. As part of this “process,” they may stumble into the database with user profiles that hold passwords. If the data is unencrypted, they won the jackpot and are able to connect to services using other people’s credentials.

Luckily, most user databases store encrypted passwords, making it harder for hackers to get passwords.

Alternatively, instead of performing a data breach themselves, hackers can just buy a user profile database on a black market when they don’t need any technical skills. The scary thing is that such transactions take place on a regular basis.

Password spraying

Just knowing the username could be enough for hackers, as it allows them to start guessing the user’s password.

You may not know it, but there are quite a few people out there using generic passwords like 12345, abc123, password123, qwerty, and so on. Hackers try out these most common passwords in a technique called password spraying.


A somewhat similar method called a brute-force attack, it presumes a hacker attempting to guess all possible passwords until the correct one is found.

Brute-forcing can take forever and is even impossible for complicated (long) passwords, but it can be successful quickly if the password is short enough — or if the hacker already has some information about the password.

Credential stuffing

Once the hacker has one password, he/she will want to try it on other accounts. They do this since many people use the same username/password for accessing multiple services.

This is called credential stuffing, and it tends to presume using automated bots to try every username/password combination on another website until one of them works.

Social engineering

Social engineering is a broad class of attacks that preys on human gullibility. Its most “popular” form is phishing, which presumes tricking people into providing the attacker with his/her username and password.

Phishing itself comes in a variety of shapes and could include emails, text messages, and even phone calls — all made in an effort to get the victim’s credentials. To that end, the unsuspecting user may receive a message from a reputable organization asking him/her to react quickly. Then, when they click on the link in the message, they will be led to a fake login page — which was prepared by the hacker. Once the victim enters his username and password, the hacker will use that information to log in to services and cause havoc.

Also read: Here’s How to Avoid Phishing Scams


The computing equivalent of a wiretap, keylogging is made to record all keystrokes made on a computer. Often installed through an app that poses as a legit piece of software, a keylogger will track every key you press and send the recorded keystrokes back to its creator. Once that part is done, the hacker can use context to determine which keystrokes make up your password.

Also read: Keyloggers Explained

Shoulder surfing

This option doesn’t require any tech skill whatsoever. All the hacker has to do is stand behind you while you’re logging in to some important service and memorize your keystrokes. Although less techy – shoulder surfing is by no means ineffective. Quite the contrary.

Default passwords

Many devices come with default passwords, like those used in many routers (username: admin, password: admin). Hackers are able to take advantage of this by corrupting your Wi-Fi router and monitoring your traffic. Heck, they may be able to redirect you to a fake login page, where you would be required to enter your credentials for some popular service, and after that – they would be able to access that service.

Also read: Risky Password Habits You Must Know About

How to protect your passwords?

As we are always saying, the best defense in the cyber world is to use your brain. Think before you click and follow these rules:

  • Don’t click any links with suspicious URLs, even if they appear to come from a reputable source you know and trust.
  • If your router has the default username/password set to admin/admin – change it.
  • Use 2-factor authentication wherever possible.
  • Use unique passwords for every service.
  • Use strong passwords which combine lower- and uppercase letters, numbers and special characters.
  • Use a password manager to manage all your passwords from a single location.
  • Use a VPN to protect your communication on public Wi-Fi hotspots (so that no one can snoop into your traffic and potentially get ahold of your personal information).

It is our belief that by abiding by these rules, you will stay safe(r) online. It’s a scary world out there, so you better be prepared. 😉