How Do Hackers Get Passwords? (And How To Stop Them)

Do Hackers Have Your Passwords?

In September 2022, malicious hackers purchased a password that belonged to an Uber contractor on the Dark Web [*]. The contractor's personal device had been infected with malware leaving any information on the device vulnerable. The hackers then unlawfully accessed Uber's internal systems and even downloaded information off of a finance tool.

If fraudsters steal your passwords, they could hack your email and bank accounts and even steal your identity. But despite the growing threat, few Americans do enough to keep their passwords safe.

Over half of Americans say they haven’t changed their passwords in the past year — even after hearing about a data breach in the news [*]. But maybe even worse, 62% of Americans say they use the same password across multiple accounts to avoid having to remember unique passwords. If you make this mistake, a hacker could compromise all of your accounts with a single attack. 

But how do hackers get passwords in the first place? And what can you do to protect yourself and your family from becoming victims?

If you think your passwords are safe, think again. Read on as we explore the warning signs of password cracking, explain how hackers get passwords, and offer actionable advice to protect your online accounts from cyberattacks.

{{show-toc}}

5 Red Flags That Your Passwords Have Been Hacked

If hackers gain access to your passwords, they can do serious damage to your finances, reputation, and online identity. Once someone knows your login credentials, they could:

• Access your email and social media accounts.
• Make fraudulent purchases and transfers using your bank accounts.
• Acquire your personally identifiable information (PII) and use it for identity theft.
• Sell your information on the Dark Web.

To minimize the damage of password hacking, it’s crucial that you learn to recognize the signs of a compromised password. Here are some red flags:

1. Your password isn’t working. When hackers gain access to an account, they often change the password and lock you out. If your normal passwords don't work, you may have been hacked. 
2. Slow computer performance. We've all experienced our computers lagging over time — but a sudden slowdown can be a sign that your device has been infected with password-stealing malware.
3. You find your information on the Dark Web. Hackers might sell your passwords to other criminals, which puts you at risk of identity theft or financial fraud. 
4. Ransomware messages. Hackers can use malware to encrypt your files and programs, then lock you out until you pay them to regain control. In April 2022, a series of ransomware attacks hit 27 government bodies in Costa Rica, leading the country to declare a national emergency [*]. 
5. Friends and family members receive weird messages from you online. If hackers gain access to your accounts, they’ll often try to scam your friends and family. Pay attention if someone tells you that they received strange messages from “your” account.

10 Scams Hackers Use To Get Your Passwords 

1. Buying passwords leaked in data breaches
2. Phishing attacks
3. Fake “password reset” emails
4. Infecting your devices with malware
5. Brute-force attacks
6. Dictionary attacks
7. Credential stuffing
8. Shoulder surfing
9. Man-in-the-Middle attacks
10. Hacking your phone
    

Maybe you’ve already seen some warning signs. But how do hackers get passwords in the first place? 

Here are the ways that hackers get passwords — and what you can do to stop them from getting yours. 

1. Buying passwords leaked in data breaches

In the past year alone, billions of user passwords, logins, and other pieces of personal information have been stolen and leaked in data breaches. Malicious hackers break into databases and steal information to either use in scams or sell on the Dark Web. 

With hackers targeting companies from Facebook to Marriott to Equifax, there’s a good chance that at least one of your accounts has been compromised.

How this happens:

• Hackers target sites with vulnerable security practices (such as storing plain text passwords) and steal the account data of thousands or even millions of users at once. This can include login credentials, credit card details, and Social Security numbers (SSNs).
• Hackers then advertise the stolen “data dumps” on illicit marketplaces and forums on the Dark Web.
• Other hackers or identity thieves can purchase and use the information for financial gain.

What to do:

• Create different passwords for each account. Using unique, complex passwords for every account makes them harder to crack and can prevent scammers from gaining access to multiple accounts after a data breach.
• Look out for news of data breaches. Change your passwords immediately if you realize you have an account with a company that just suffered a data breach.
• Watch for fraud warnings. You might receive an email about a data breach. Visit the company website, and call the official customer support number to verify the situation — never respond via any methods listed in the email.

📚 Related: How To View (and Update) All Of Your Saved Passwords →

2. Phishing attacks

Phishing is one of the most common methods hackers use to steal personal information, including passwords. Six billion phishing attacks are expected to take place this year alone [*].

How this happens:

• Hackers send official-looking emails purporting to be from trustworthy organizations, like the IRS, your bank, or popular e-commerce stores. 
• The phishing emails include links that trick you into visiting a fake website — like an e-commerce store's payment page. If you trust that everything looks legitimate, you might unwittingly share your details.
• Alternatively, clicking on the link can trigger a malware download, which gives the hacker access to your computer. At that point, the thief can steal your passwords.

What to do:

• Don’t reply to spam messages. If you get an email from someone you don’t know, or notice any suspicious issues (like typos or an odd address), delete it and don’t reply.
• Avoid clicking on links or attachments in emails. It’s best to research the sender first. Contact them using the details located on their official website.
• Never share your personal information. Even if it’s an email from someone who claims to be an old friend, you shouldn’t reveal your passwords or sensitive information online. 

📚 Related: How To Tell If An Email Is From a Scammer [With Examples] →

3. Fake “password reset” emails

Do you keep getting password reset emails even though you never asked for them? You’re not alone. Password reset emails are among the most common scams. Apple warned users about this scam in July 2022, as hackers ramped up efforts to trick users into sharing their credentials [*]. 

How this happens:

Hackers send bogus emails purporting to be from one of your online accounts, urging you to verify your account or reset your password. 

• The email will include a link that directs you to a fake website.
• If you click on the link, the hacker will see any details you share on the website.

What to do:

• Avoid clicking on links. Bogus links may install malware on your computer or lead you to an unsecured website. 
• Check for signs of potential fraud. Look out for design flaws, misspelled words, and incorrect grammar.
• Verify that the sender's email address is real. Hover your cursor over the sender's name to reveal the email address. If the address differs from the name, it's probably a scam.

📚 Related: What To Do If a Scammer Has Your Email Address →

4. Infecting your devices with malware

Malware — or malicious software — is any intrusive software designed to disrupt or damage computers and computer systems. Hackers use these programs to spy on their targets and actively scan for passwords and login details. 

How this happens:

• Hackers include links in spam emails or on fake websites, which will trigger a malware download if you click on the link.
• Keylogger programs enable hackers to spy on you, as the malware captures everything you type. Once inside, the malware can explore your computer and record keystrokes to steal passwords.
• When they get enough information, hackers can access your accounts, including your email, social media, and online banking.

What to do:

• Always install updates. Don’t ignore automated reminders to update your operating system. The latest software versions will safeguard your devices with the most current security fixes.
• Use antivirus software. In the event that you need to download software online, an antivirus program can scan for malware first.
• Do not trust pop-ups. Some pop-up ads may prompt you to install antivirus software. But these are scams; clicking on the pop-up will infect your computer. Always download software from official websites.

5. Brute-force attacks

A brute-force attack is a cryptographic hack that uses trial and error to access crack password combinations (also known as “password spraying”). This simplistic approach is an old, but still-popular hacking method. The weekly rate of brute-force attacks rose by a massive 671% in June 2021 [*].

How this happens:

• Because many people use weak passwords, brute-force attacks remain effective for hacking accounts. 
• Attackers use an automated computer algorithm to rapidly try different passwords. Some brute-force attacks can attempt one billion passwords per second!
• Brute-force programs iterate through letters, numbers, and symbols — changing one character at a time until finding a successful combination. 

What to do:

• Use biometrics. If possible, move away from passwords and use biometric security measures like facial recognition or fingerprint recognition.
• Use account lockouts. When you set a limit for the number of failed login attempts, you can slow down or deter hackers from succeeding in their brute-force attack attempts. 
• Set up two-factor authentication (2FA). This additional security layer prevents hackers from accessing your accounts. Even if hackers get your password, they won’t be able to access your smartphone or email without a 2FA code.

📚 Related: How Hackers Get Into Your Computer (And How To Stop Them) →

6. Dictionary attacks

Whereas brute-force attacks attempt every possible combination by changing one character at a time, dictionary attacks rely on preset lists of words and known passwords that people tend to use. Hackers hit TransUnion South Africa servers with a dictionary attack in March 2022 before demanding $15 million in cryptocurrency [*].

How this happens:

• Hackers use a defined list of common passwords which serves as a dictionary for hacking. The attacker tries to crack an account by combining each password from the dictionary with different usernames. 
• Often, hackers use an automated system to quickly attempt multiple permutations. In the TransUnion case, the password didn’t take long to crack — it was set to “password.”
• Once hackers gain access, they can lock you out of your accounts, steal personal data, and use the information for various types of identity theft. 

What to do:

• Create stronger passwords. Most online accounts require medium-strong password strength during the signup process. Don’t make it easy for hackers.
• Use passphrases. Instead of short passwords that are easily guessed, use longer sentences that include a mix of characters.
• Set up two-factor authentication (2FA). If hackers get your password, they will still need to verify its authenticity through a text message code or email verification link.

📚 Related: How To Recover a Hacked Facebook Account →

7. Credential stuffing

Credential stuffing occurs when hackers try using your password from one account on a different account to see if you reused it. Because many people reuse passwords, credential stuffing works more than you’d think.

How this happens:

• Hackers obtain a list of usernames and passwords after a data breach, like the NeoPets breach that compromised 69 million user accounts [*]. 
• The attackers attempt to find other online accounts that reuse the same login credentials. Rather than trying multiple combinations, hackers attempt just one password for every username. 
• Hackers often use automated technology to form a botnet, which rapidly distributes these attacks across different IP (internet protocol) addresses.

What to do:

• Don’t reuse passwords. This is by far the most effective way to avoid falling prey to credential stuffing attacks.
• Install a web application firewall (WAF). This service automatically detects suspicious login attempts or abnormal traffic from botnets.
• Limit authentication requests. It’s best to freeze accounts after just three to five failed login requests, as this will stop attackers even if they use different IP addresses.

8. Shoulder surfing

When you're using your smartphone on the subway, in a cafe, or at work, someone could be literally looking over your shoulder. Cybersecurity expert Jake Moore ran an experiment using this low-tech method to hack a friend's Snapchat account [*]. If you're not careful, hackers could shoulder surf their way right into your bank account. 

How this happens:

• Shoulder surfing is a simple method of local discovery in which hackers get close to their targets in order to watch them using their devices.
• The thief will observe you entering in a password — perhaps for an online banking account, or to retrieve emails. 
• Another form of local discovery occurs when hackers search around someone's desk. People erroneously believe it's safe to write their passwords down on post-it notes and display them in easy-to-find places — like on the side of a computer monitor.

What to do:

• Be aware of your surroundings. Take a moment to look around you, and check that nobody is watching — as it only takes a few seconds for someone to spy on your password.
• Add 2FA to your accounts. 2FA helps prevent many attacks because the user won’t have access to your phone or email.
• Avoid writing credentials down. Instead of keeping your passwords on scraps of paper, store your login details in a secure password manager. 

📚 Related: Shoulder Surfing: How Scammers Rob You With Their Eyes →

9. Man-in-the-Middle attacks (i.e. Wi-Fi hacking)

A man-in-the-middle attack (MitM) occurs when hackers intercept your network connection and steal your passwords or any other data that you’re transmitting. In July 2022, Microsoft reported that a MiTM campaign had targeted Office 365 users in 10,000 organizations over the previous year [*].

How this happens:

• MiTM attacks happen when hackers use a fake website or server to insert themselves between a user and the real site that the user wants to access.
• Attackers can then hijack a user’s sign-in session and intercept the password and the cookie session.
• Once they have these details, attackers can skip the authentication process even if the user has multi-factor authentication (MFA). 

What to do:

• Browse safely. You will see a padlock icon next to the address bar on secure websites. Also, look for "HTTPS" at the start of the URL (not “HTTP”). If you don't see these security markers, leave the site immediately. 
• Use a VPN. A virtual private network masks your IP address and encrypts your data, making access more difficult for hackers. Learn more about Aura’s military-grade VPN →
• Use a firewall. This additional layer of security lets you set security preferences and restrict the content you can access on your computer. Firewalls also serve as robust safeguards to protect children who may not be aware of online threats while browsing.

📚 Related: Was Your IP Address Hacked? Here's How To Tell →

10. Hacking your phone

If someone hacks your phone, they could access your banking, emails, social media, and other private information. Be especially careful about what apps you download. Nearly 80% of all attacks against mobile devices happen through malicious apps [*]. Also, be sure to properly wipe old devices before recycling, selling, or trashing them.

How this happens:

• Hackers create malicious apps that can siphon personal information from your device when you download or use the apps.
• Cybercriminals set up fake public Wi-Fi networks to lure and redirect people to malicious websites where they can steal personal information.
• Hackers use SIM swap scams to trick network providers into transferring your phone number to their device.

What to do:

• Use a VPN and antivirus software. These security measures will help keep your passwords safe when you use your phone to browse online.
• Keep OS updated with the latest patches. Every time a new update for your phone’s OS is released, it includes additional security features designed to protect against known hacking methods.
• Download apps from trusted sources. You should only download updates from Google Plays or the iOS App Store — not from third-party marketplaces. 

📚 Related: Can Someone Hack You With Just Your Phone Number? →

How to keep your online accounts safe from hackers

1. Use antivirus and a VPN. You can keep all your devices safe from hackers and malware with military-grade encryption and Wi-Fi protection.
2. Keep all of your software up to date. Most modern operating systems come with automatic update protocols, but it is best to check for these updates regularly so that hackers can't compromise your system.  
3. Don’t open or download unknown email attachments. When you receive an email from an unknown source, never open any links or attachments. 
4. Regularly check your credit report and bank statements. Scammers are almost always after your financial accounts. Check for the warning signs of identity theft — such as strange charges on your bank statement or accounts you don’t recognize. An identity theft protection service like Aura can monitor your credit and statements for you and alert you to any signs of fraud.
5. Create strong passwords. Your password is your first — and, in some cases, only — line of defense against hackers. 
6. Never reuse passwords. Make sure the passwords for all of your accounts are completely unique so that hackers can’t access all of your accounts with a single attack.
7. Install a password manager. Aura’s password manager is integrated into all Aura plans, making it easy to store complex passwords for multiple online accounts.
8. Consider signing up for identity theft protection. Aura’s top-rated identity theft protection monitors all of your most sensitive personal information, online accounts, and finances for signs of fraud. If a scammer tries to access your accounts or finances, Aura can help you take action before it’s too late. Try Aura’s 14-day free trial for immediate protection while you’re most vulnerable.

📚 Related: Digital Security: Your Personal Protection & Online Privacy Guide for 2024 →

How To Create Strong Passwords That Hackers Can’t Crack

Creating a strong password isn’t as difficult as you might think. And setting complex, unique passwords for every account is one of the best ways to keep hackers at bay.

So, what makes a password strong? Here are five tips:

• Make it unique. Avoid obvious password options such as birthdays or a pet's name. Think of a random word or phrase with no connection to your life or other accounts.
• Make it long. You should go beyond the minimum 8-character standard to create passwords with 10-15 characters. A good method is to create a random phrase or sentence with upper and lower case letters (for example, “SAf3tyF1r$t”).
• Use a mix of characters, cases, special characters, and symbols. Your password doesn’t have to be logical. If you use a random sequence, it is more difficult to crack.
• Avoid common substitutions. Remember that hackers have a dictionary loaded with commonly used passwords for brute-force attacks — so don’t trust anything like “pa$$word” or “password1” to keep your bank account safe.
• Don’t follow easy keyboard paths. The classic “123456” or “qwerty” should be left in the past. These passwords are overused and easily guessed.

You can increase your personal online security and reduce the chances of a hack if you use better methods to generate new passwords. For example:

• The passphrase method is a password that contains a sentence or phrase that you find memorable, but will be harder to guess.
• The revised password method is a twist on the previous approach, combining unusual words, names, and locations to make a nonsensical phrase that only you will remember (e.g. CocoMelonAndTheRockGoToMongolia).
• The encrypted sentence method is another variation on the passphrase, in which you only use the first two letters of each word (e.g., BostonCelticsAreTheBestTeamEver = BoCeArThBeTeEv).

📚 Related: The Best LastPass Alternatives in 2024 (Free & Paid) →

The Bottom Line: Stop Scammers From Stealing Your Passwords

So, how do hackers get passwords? With alarming ease. 

And if you’re not careful, one hack could cause severe harm to your online accounts, finances, and credit. Someone could even steal your identity.

If you want to protect yourself and your family from hackers, you should consider Aura's digital security solution. 

With Aura, you get:

• Account monitoring with fraud alerts. Aura monitors your online accounts, financial accounts, and more for signs of fraud. You’ll get alerted in near-real time of any suspicious activity.
• VPN and malware protection. Aura keeps all your devices safe from hackers and malware with military-grade encryption and Wi-Fi protection.
• Dark Web scanning. Aura also scans the Dark Web for your personal information, like your credit card numbers and SSNs.
• 24/7 Fraud Resolution specialists. If the worst should happen, you’ll have 24/7 support from a team of U.S.-based fraud resolution specialists. 
• $1 million insurance policy. Every Aura plan offers $1,000,000 in coverage for eligible losses due to identity theft.

Secure your digital life. Try Aura free for 14 days →