How Do Hackers Get Passwords? (And How To Stop Them)

Share this:

Irina Malteseva

Growth marketer fighting scammers

In this article:

    Identity theft and fraud protection for your finances, personal info, and devices.

    See pricing
    Share this:

    Do Hackers Have Your Passwords?

    In June 2021, malicious hackers shared their biggest trove of stolen passwords ever. The RockYou2021 password leak exposed over 8.4 billion passwords [*] and put millions of people at risk of account takeovers, financial fraud, and identity theft. 

    If fraudsters steal your passwords, they could hack your email and bank accounts and even steal your identity. But despite the growing threat, few Americans do enough to keep their passwords safe.

    Over half of Americans say they haven’t changed their passwords in the past year — even after hearing about a data breach in the news [*]. But maybe even worse, 68% of Americans say they use the same password across multiple accounts [*]. If you make this mistake, a hacker could compromise all of your accounts with a single attack. 

    But how do hackers get passwords in the first place? And what can you do to protect yourself and your family from becoming victims?

    If you think your passwords are safe, think again. Read on as we explore the warning signs of password cracking, explain how hackers get passwords, and offer actionable advice to protect your online accounts from cyberattacks.

    5 Red Flags That Your Passwords Have Been Hacked

    If hackers gain access to your passwords, they can do serious damage to your finances, reputation, and online identity. Once someone knows your login credentials, they could:

    • Access your email and social media accounts.
    • Make fraudulent purchases and transfers using your bank accounts.
    • Acquire your personally identifiable information (PII) and use it for identity theft.
    • Sell your information on the Dark Web.

    To minimize the damage of password hacking, it’s crucial that you learn to recognize the signs of a compromised password. Here are some red flags:

    1. Your password isn’t working. When hackers gain access to an account, they often change the password and lock you out. If your normal passwords don't work, you may have been hacked. 
    2. Slow computer performance. We've all experienced our computers lagging over time — but a sudden slowdown can be a sign that your device has been infected with password-stealing malware.
    3. You find your information on the Dark Web. Hackers might sell your passwords to other criminals, which puts you at risk of identity theft or financial fraud. 
    4. Ransomware messages. Hackers can use malware to encrypt your files and programs, then lock you out until you pay them to regain control. In April 2022, a series of ransomware attacks hit 27 government bodies in Costa Rica, leading the country to declare a national emergency [*]. 
    5. Friends and family members receive weird messages from you online. If hackers gain access to your accounts, they’ll often try to scam your friends and family. Pay attention if someone tells you that they received strange messages from “your” account.
    Take action: If hackers have your passwords, it could put your bank account, email, or other accounts at risk. Try Aura’s #1-rated identity theft protection free for 14 days to secure your identity against scammers.

    10 Scams Hackers Use To Get Your Passwords 

    1. Buying passwords leaked in data breaches
    2. Phishing attacks
    3. Fake “password reset” emails
    4. Infecting your devices with malware
    5. Brute-force attacks
    6. Dictionary attacks
    7. Credential stuffing
    8. Shoulder surfing
    9. Man-in-the-Middle attacks (i.e. Wi-Fi hacking)
    10. Hacking your phone

    Maybe you’ve already seen some warning signs. But how do hackers get passwords in the first place? 

    Here are the ways that hackers get passwords — and what you can do to stop them from getting yours

    1. Buying passwords leaked in data breaches

    In the past year alone, billions of user passwords, logins, and other pieces of personal information have been stolen and leaked in data breaches. Malicious hackers break into databases and steal information to either use in scams or sell on the Dark Web. 

    With hackers targeting companies from Facebook to Marriott to Equifax, there’s a good chance that at least one of your accounts has been compromised. 

    You can check to see if your passwords have been exposed using Aura’s free leaked password scanner.

    Aura leaked password scanner

    How do hackers get passwords from data breaches?

    • Hackers target sites with vulnerable security practices (such as storing plain text passwords) and steal the account data of thousands or even millions of users at once. This can include login credentials, credit card details, and Social Security numbers (SSNs).
    • Hackers then advertise the stolen “data dumps” on illicit marketplaces and forums on the Dark Web.
    • Other hackers or identity thieves can purchase and use the information for financial gain.
    How to protect yourself against hackers after a data breach:
    • Create different passwords for each account. Using unique, complex passwords for every account makes them harder to crack and can prevent scammers from gaining access to multiple accounts after a data breach.
    • Look out for news of data breaches. Change your passwords immediately if you realize you have an account with a company that just suffered a data breach.
    • Watch for fraud warnings. You might receive an email about a data breach. Visit the company website, and call the official customer support number to verify the situation — never respond via any methods listed in the email.

    Related: Here’s What To Do After a Data Breach

    2. Phishing attacks

    Phishing is one of the most common methods hackers use to steal personal information, including passwords. Six billion phishing attacks are expected to take place this year alone [*].

    How do hackers get passwords from phishing attacks?

    • Hackers send official-looking emails purporting to be from trustworthy organizations, like the IRS, your bank, or popular ecommerce stores. 
    • The phishing emails include links that trick you into visiting a fake website — like an ecommerce store's payment page. If you trust that everything looks legitimate, you might unwittingly share your details.
    • Alternatively, clicking on the link can trigger a malware download, which gives the hacker access to your computer. At that point, the thief can steal your passwords.
    How to protect yourself against phishing:
    • Don’t reply to spam messages. If you get an email from someone you don’t know, or notice any suspicious issues (like typos or an odd address), delete it and don’t reply.
    • Avoid clicking on links or attachments in emails. It’s best to research the sender first. Contact them using the details located on their official website.
    • Never share your personal information. Even if it’s an email from someone who claims to be an old friend, you shouldn’t reveal your passwords or sensitive information online. 

    Related: How To Tell If An Email Is From a Scammer [With Examples]

    3. Fake “password reset” emails

    Do you keep getting password reset emails even though you never asked for them? You’re not alone. Password reset emails are among the most common scams. Apple warned users about this scam in July 2022, as hackers ramped up efforts to trick users into sharing their credentials [*]. 

    How do hackers use fake password reset emails to view your personal information?

    Hackers send bogus emails purporting to be from one of your online accounts, urging you to verify your account or reset your password. 

    • The email will include a link that directs you to a fake website.
    • If you click on the link, the hacker will see any details you share on the website.
    How to protect yourself against fake password reset emails:
    • Avoid clicking on links. Bogus links may install malware on your computer or lead you to an unsecured website. 
    • Check for signs of potential fraud. Look out for design flaws, misspelled words, and incorrect grammar.
    • Verify that the sender's email address is real. Hover your cursor over the sender's name to reveal the email address. If the address differs from the name, it's probably a scam.

    Related: What To Do If a Scammer Has Your Email Address

    4. Infecting your devices with malware

    Malware — or malicious software — is any intrusive software designed to disrupt or damage computers and computer systems. Hackers use these programs to spy on their targets and actively scan for passwords and login details. 

    How do hackers get passwords using malware?

    • Hackers include links in spam emails or on fake websites, which will trigger a malware download if you click on the link.
    • Keylogger programs enable hackers to spy on you, as the malware captures everything you type. Once inside, the malware can explore your computer and record keystrokes to steal passwords.
    • When they get enough information, hackers can access your accounts, including your email, social media, and online banking.
    How to protect against malware:
    • Always install updates. Don’t ignore automated reminders to update your operating system. The latest software versions will safeguard your devices with the most current security fixes.
    • Use antivirus software. In the event that you need to download software online, an antivirus program can scan for malware first.
    • Do not trust pop-ups. Some pop-up ads may prompt you to install antivirus software. But these are scams; clicking on the pop-up will infect your computer. Always download software from official websites.
    Take action: If scammers infect your devices with malware, they could take out loans in your name or empty your bank account. Try a digital security service with antivirus and VPN to keep your finances and devices safe from hackers.

    5. Brute-force attacks

    A brute-force attack is a cryptographic hack that uses trial and error to access crack password combinations (also known as “password spraying”). This simplistic approach is an old, but still-popular hacking method. The weekly rate of brute-force attacks rose by a massive 671% in June 2021 [*].

    LastPass data about reusing passwords
    The majority of people use the same or similar passwords for multiple accounts. Source: LastPass

    How do hackers get passwords with brute-force attacks?

    • Because many people use weak passwords, brute-force attacks remain effective for hacking accounts. 
    • Attackers use an automated computer algorithm to rapidly try different passwords. Some brute-force attacks can attempt one billion passwords per second!
    • Brute-force programs iterate through letters, numbers, and symbols — changing one character at a time until finding a successful combination. 
    How to protect against brute-force attacks:
    • Use biometrics. If possible, move away from passwords and use biometric security measures like facial recognition or fingerprint recognition.
    • Use account lockouts. When you set a limit for the number of failed login attempts, you can slow down or deter hackers from succeeding in their brute-force attack attempts. 
    • Set up two-factor authentication (2FA). This additional security layer prevents hackers from accessing your accounts. Even if hackers get your password, they won’t be able to access your smartphone or email without a 2FA code.

    Related: How Hackers Get Into Your Computer (And How To Stop Them)

    6. Dictionary attacks

    Whereas brute-force attacks attempt every possible combination by changing one character at a time, dictionary attacks rely on preset lists of words and known passwords that people tend to use. Hackers hit TransUnion South Africa servers with a dictionary attack in March 2022 before demanding $15 million in cryptocurrency [*].

    How do hackers get passwords using dictionary attacks?

    • Hackers use a defined list of common passwords which serves as a dictionary for hacking. The attacker tries to crack an account by combining each password from the dictionary with different usernames. 
    • Often, hackers use an automated system to quickly attempt multiple permutations. In the TransUnion case, the password didn’t take long to crack — it was set to “password.”
    • Once hackers gain access, they can lock you out of your accounts, steal personal data, and use the information for various types of identity theft
    How to protect against dictionary attacks:
    • Create stronger passwords. Most online accounts require medium-strong password strength during the signup process. Don’t make it easy for hackers.
    • Use passphrases. Instead of short passwords that are easily guessed, use longer sentences that include a mix of characters.
    • Set up two-factor authentication (2FA). If hackers get your password, they will still need to verify its authenticity through a text message code or email verification link.

    7. Credential stuffing

    Credential stuffing occurs when hackers try using your password from one account on a different account to see if you reused it. Because many people reuse passwords, credential stuffing works more than you’d think.

    How do hackers get passwords by using credential stuffing?

    • Hackers obtain a list of usernames and passwords after a data breach, like the NeoPets breach that compromised 69 million user accounts [*]. 
    • The attackers attempt to find other online accounts that reuse the same login credentials. Rather than trying multiple combinations, hackers attempt just one password for every username. 
    • Hackers often use automated technology to form a botnet, which rapidly distributes these attacks across different IP (internet protocol) addresses.
    How to protect against credential stuffing:
    • Don’t reuse passwords. This is by far the most effective way to avoid falling prey to credential stuffing attacks.
    • Install a web application firewall (WAF). This service automatically detects suspicious login attempts or abnormal traffic from botnets.
    • Limit authentication requests. It’s best to freeze accounts after just three to five failed login requests, as this will stop attackers even if they use different IP addresses.
    Take action: Protect yourself from the risks of identity theft and fraud with Aura’s $1,000,000 in identity theft insurance. Try Aura free for 14 days to see if it’s right for you.

    8. Shoulder surfing

    When you're using your smartphone on the subway, in a cafe, or at work, someone could be literally looking over your shoulder. Cybersecurity expert Jake Moore ran an experiment using this low-tech method to hack a friend's Snapchat account [*]. If you're not careful, hackers could shoulder surf their way right into your bank account. 

    How do hackers get passwords from shoulder surfing?

    • Shoulder surfing is a simple method of local discovery in which hackers get close to their targets in order to watch them using their devices.
    • The thief will observe you entering in a password — perhaps for an online banking account, or to retrieve emails. 
    • Another form of local discovery occurs when hackers search around someone's desk. People erroneously believe it's safe to write their passwords down on post-it notes and display them in easy-to-find places — like on the side of a computer monitor.
    How to protect against shoulder surfing:
    • Be aware of your surroundings. Take a moment to look around you, and check that nobody is watching — as it only takes a few seconds for someone to spy on your password.
    • Add 2FA to your accounts. 2FA helps prevent many attacks because the user won’t have access to your phone or email.
    • Avoid writing credentials down. Instead of keeping your passwords on scraps of paper, store your login details in a secure password manager

    Related: Shoulder Surfing: How Scammers Rob You With Their Eyes

    9. Man-in-the-Middle attacks (i.e. Wi-Fi hacking)

    A man-in-the-middle attack (MitM) occurs when hackers intercept your network connection and steal your passwords or any other data that you’re transmitting. In July 2022, Microsoft reported that a MiTM campaign had targeted Office 365 users in 10,000 organizationsover the previous year [*].

    How do hackers get passwords with man-in-the-middle attacks?

    • MiTM attacks happen when hackers use a fake website or server to insert themselves between a user and the real site that the user wants to access.
    • Attackers can then hijack a user’s sign-in session and intercept the password and the cookie session.
    • Once they have these details, attackers can skip the authentication process even if the user has multi-factor authentication (MFA). 
    How to protect against man-in-the-middle attacks:
    • Browse safely. You will see a padlock icon next to the address bar on secure websites. Also, look for "HTTPS" at the start of the URL (not “HTTP”). If you don't see these security markers, leave the site immediately. 
    • Use a VPN. A virtual private network masks your IP address and encrypts your data, making access more difficult for hackers. Learn more about Aura’s military-grade VPN →
    • Use a firewall. This additional layer of security lets you set security preferences and restrict the content you can access on your computer. Firewalls also serve as robust safeguards to protect children who may not be aware of online threats while browsing.

    Related: Was Your IP Address Hacked? Here's How To Tell (and What To Do!)

    10. Hacking your phone

    If someone hacks your phone, they could access your banking, emails, social media, and other private information. Be especially careful about what apps you download. Nearly 80% of all attacks against mobile devices happen through malicious apps [*]. 

    How do hackers get passwords by hacking your mobile device?

    • Hackers create malicious apps that can siphon personal information from your device when you download or use the apps.
    • Cybercriminals set up fake public Wi-Fi networks to lure and redirect people to malicious websites where they can steal personal information.
    • Hackers use SIM swap scams to trick network providers into transferring your phone number to their device. 
    How to protect your phone from being hacked:
    • Use a VPN and antivirus software. These security measures will help keep your passwords safe when you use your phone to browse online.
    • Keep OS updated with the latest patches. Every time a new update for your phone’s OS is released, it includes additional security features designed to protect against known hacking methods.
    • Download apps from trusted sources. You should only download updates from Google Plays or the iOS App Store — not from third-party marketplaces. 

    Related: Can Someone Hack You With Just Your Phone Number?

    How to keep your online accounts safe from hackers

    1. Use antivirus and a VPN. You can keep all your devices safe from hackers and malware with military-grade encryption and Wi-Fi protection.
    2. Keep all of your software up to date. Most modern operating systems come with automatic update protocols, but it is best to check for these updates regularly so that hackers can't compromise your system.  
    3. Don’t open or download unknown email attachments. When you receive an email from an unknown source, never open any links or attachments. 
    4. Regularly check your credit report and bank statements. Scammers are almost always after your financial accounts. Check for the warning signs of identity theft — such as strange charges on your bank statement or accounts you don’t recognize. An identity theft protection service like Aura can monitor your credit and statements for you and alert you to any signs of fraud.
    5. Create strong passwords. Your password is your first — and, in some cases, only — line of defense against hackers. 
    6. Never reuse passwords. Make sure the passwords for all of your accounts are completely unique so that hackers can’t access all of your accounts with a single attack.
    7. Install a password manager. Aura’s password manager is integrated into all Aura plans, making it easy to store complex passwords for multiple online accounts.
    8. Consider signing up for identity theft protection. Aura’s top-rated identity theft protection monitors all of your most sensitive personal information, online accounts, and finances for signs of fraud. If a scammer tries to access your accounts or finances, Aura can help you take action before it’s too late. Try Aura’s 14-day free trial for immediate protection while you’re most vulnerable.

    Related: Digital Security: Your Personal Protection & Online Privacy Guide for 2022

    How To Create Strong Passwords That Hackers Can’t Crack

    Creating a strong password isn’t as difficult as you might think. And setting complex, unique passwords for every account is one of the best ways to keep hackers at bay.

    So, what makes a password strong? Here are five tips:

    • Make it unique. Avoid obvious password options such as birthdays or a pet's name. Think of a random word or phrase with no connection to your life or other accounts.
    • Make it long. You should go beyond the minimum 8-character standard to create passwords with 10-15 characters. A good method is to create a random phrase or sentence with upper and lower case letters (for example, “SAf3tyF1r$t”).
    • Use a mix of characters, cases, special characters, and symbols. Your password doesn’t have to be logical. If you use a random sequence, it is more difficult to crack.
    • Avoid common substitutions. Remember that hackers have a dictionary loaded with commonly used passwords for brute-force attacks — so don’t trust anything like “pa$$word” or “password1” to keep your bank account safe.
    • Don’t follow easy keyboard paths. The classic “123456” or “qwerty” should be left in the past. These passwords are overused and easily guessed.

    You can increase your personal online security and reduce the chances of a hack if you use better methods to generate new passwords. For example:

    • The passphrase method is a password that contains a sentence or phrase that you find memorable, but will be harder to guess.
    • The revised password method is a twist on the previous approach, combining unusual words, names, and locations to make a nonsensical phrase that only you will remember (e.g. CocoMelonAndTheRockGoToMongolia).
    • The encrypted sentence method is another variation on the passphrase, in which you only use the first two letters of each word (e.g., BostonCelticsAreTheBestTeamEver = BoCeArThBeTeEv).

    The Bottom Line: Stop Scammers From Stealing Your Passwords

    So, how do hackers get passwords? 

    With alarming ease. 

    And if you’re not careful, one hack could cause severe harm to your online accounts, finances, and credit. Someone could even steal your identity.

    If you want to protect yourself and your family from hackers, you should consider Aura's digital security solution. 

    With Aura, you get:

    • Account monitoring with fraud alerts. Aura monitors your online accounts, financial accounts, and more for signs of fraud. You’ll get alerted in near-real time of any suspicious activity.
    • VPN and malware protection. Aura keeps all your devices safe from hackers and malware with military-grade encryption and Wi-Fi protection.
    • Dark Web scanning. Aura also scans the Dark Web for your personal information, like your credit card numbers and SSNs.
    • 24/7 Fraud Resolution specialists. If the worst should happen, you’ll have 24/7 support from a team of U.S.-based fraud resolution specialists. 
    • $1 million insurance policy. Every Aura plan offers $1,000,000 in coverage for eligible losses due to identity theft.
    Secure your digital life! Try Aura free for 14 days →

    Related Articles

    Illustration of a hand holding a phone with a fake QR code
    Fraud

    How To Spot a Fake QR Code Scam [9 New Examples]

    QR codes are everywhere — from your favorite restaurant to medical clinics. But are they always safe to scan? Watch out for these 9 fake QR code scams.

    Read More
    April 14, 2022
    What to do if you have been scammed online: Featured image
    Fraud

    What To Do If You’ve Been Scammed Online & How To Report It

    In this guide, we’ll cover 15 types of online scams that you’ll likely encounter, how they occur, and the best ways to report them.

    Read More
    October 3, 2022

    Try Aura—14 Days Free

    Start your free trial today**

    This is some text inside of a div block.

    Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

    1. Financial identity theft and fraud
    2. Medical identity theft
    3. Child identity theft
    4. Elder fraud and estate identity theft
    5. “Friendly” or familial identity theft
    6. Employment identity theft
    7. Criminal identity theft
    8. Tax identity theft
    9. Unemployment and government benefits identity theft
    10. Synthetic identity theft
    11. Identity cloning
    12. Account takeovers (social media, email, etc.)
    13. Social Security number identity theft
    14. Biometric ID theft
    15. Crypto account takeovers