Stay secure over the holidays with the ThreatLocker Lights-Out Checklist
Back to Blogs Back to Press Releases
How Do Hackers Get Passwords? - ThreatLocker Blog

How do hackers get passwords?

Table of Contents

Contents:

  • Hackers use various methods like phishing, malware, and brute-force attacks to steal passwords.
  • Weak or reused passwords make accounts more vulnerable to breaches.
  • Data breaches expose old passwords, allowing hackers to access multiple accounts.
  • Enable two-factor authentication.
  • Regularly update software and monitor account activity for suspicious behavior.

In the rush to check emails or access sensitive systems, have you ever paused to think about how secure they really are?

This leads to the question, “How do hackers get passwords, anyway?” It's a question worth exploring because cybercriminals are constantly devising new ways to crack our codes and access our valuable information.

By understanding common password-hacking techniques, you can take proactive steps to strengthen your own password security and stay a step ahead of hackers.

Common Password Hacking Techniques

Hackers are resourceful and have many methods to gain access to your passwords. Here are some of their most common tactics:

Phishing and Social Engineering

Phishing and social engineering rely on deception and manipulation. Hackers craft convincing emails, messages, or websites that look like they come from trusted sources, such as banks, social media platforms, or even your IT department.

They often urge you to click on a link, download an attachment, or provide your password under the guise of "verification" or resolving a fake issue.

For instance, you may wonder how hackers get your email password.

You might receive an email claiming suspicious activity on your account, prompting you to click a link that leads to a fake login page. Once you enter your credentials, hackers have access.  

Similarly, another common question is “How do hackers get my Facebook password?” A phishing message could trick you into logging into a fake Facebook page, allowing them to steal your credentials.

Malware and Keyloggers

Malware is malicious software designed to infiltrate your devices and steal information, including passwords.

Keyloggers are a particularly sneaky type of malware that records every keystroke you make, capturing passwords, credit card numbers, and other sensitive data.

Hackers spread malware through various means, such as infected email attachments, malicious websites, or software downloads from untrusted sources.

Brute-Force Attacks

This is when hackers use automated tools to guess passwords by trying countless character combinations. Weak passwords are responsible for compromising the personal information of about 30% of internet users. So, brute-force attacks are likely to affect you if your password is weak or too simple.  

Data Breaches

Data breaches are a major threat. Hackers frequently target websites and databases to steal large amounts of user credentials. Even if you practice strong password habits, your password could still be exposed in a breach.

This is one of the main ways hackers get old passwords. When a breach occurs, old passwords are often part of the stolen data. Hackers can then use these to try and access accounts you haven’t updated with new passwords.

Credential Stuffing

This method takes advantage of the common habit of reusing passwords.  

Hackers use stolen usernames and passwords from data breaches and run them through automated tools to try logging into other online services.

If you’re using the same password across multiple accounts, a breach on one site could put all your accounts at risk.

Hash Cracking

When you create a password on a website or app, it's usually not stored in plain text. Instead, it's converted into a unique string of characters called a "hash."

While hashing adds a layer of security, determined hackers may attempt to "crack" these hashes to reveal the original passwords.

So, how do hackers crack hashed passwords exactly?

They use methods like rainbow tables (pre-computed tables of hashes and their corresponding passwords) and brute-force attacks to achieve this.

Tips for Stronger Password Habits

Now that you understand the tactics hackers employ, it's time to bolster your defenses. Here's how to cultivate stronger password habits and protect your valuable accounts:

Create Strong Passwords

The National Institute of Standards and Technology (NIST) shared its first recommendations in 2017, stating that passwords should have the below characteristics:

  • Length: Use at least 12 characters.
  • Complexity: Use a mix of uppercase and lowercase letters, numbers, and symbols.
  • Uniqueness: Avoid using the same password across multiple accounts.
  • Not Personal: Steer clear of easily guessable information like your name, birthday, or pet's name.

More recently, NIST has shared a second public draft covering its password guidelines, updating recommended best practices. The draft covers updated password strength requirements for Credential Service Providers (CSP), including:

  • Length:
    • “Verifiers and CSPs SHALL require passwords to be a minimum of eight characters in length”  
    • “Verifiers and CSPs SHOULD require passwords to be a minimum of 15 characters but a maximum of 64 characters in length.”
  • Complexity:
    • “Verifiers and CSPs SHOULD accept all printing ASCII and Unicode characters in passwords, where each Unicode code point SHALL be counted as a single character.”
    • “Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords.”
  • Changing Passwords:
    • “Verifiers and CSPs SHALL NOT require users to change passwords periodically.”
    • “Verifiers and CSPs SHALL force a change if there is evidence of compromise of the authenticator.”

Enable Two-Factor Authentication (2FA)

2FA adds an extra layer of security by requiring additional forms of verification on top of your password. This could be a code sent to your phone, a fingerprint scan, or a physical security key.  

Enable 2FA wherever possible, especially for critical accounts like email and cloud-based applications.

Be Mindful of Phishing Attempts

Hackers are skilled at creating convincing emails and messages designed to deceive. Here are a few tips to keep in mind:

  • Think before you click: Avoid clicking on links or downloading attachments from unknown or unexpected senders.
  • Verify the source: If you receive a suspicious email that appears to be from a legitimate source, contact the organization directly through a trusted method to confirm its authenticity.

Keep Software Updated

Software updates often come with security patches that fix vulnerabilities hackers can exploit.  

Think of these updates as strengthening the walls of your digital fortress.

Outdated software is like leaving a window open, making it easier for intruders to break in and potentially steal your passwords. Make it a habit to update your operating system, browser, and other apps to the latest versions.

ThreatLocker Tip: Turn on automatic updates whenever you can. That way, you'll get the latest security patches right away without needing to check for updates yourself. For critical systems, set up a regular patching schedule to make sure updates are applied quickly and reduce your risk.

ThreatLocker Application Control has built-in applications that are commonly used by organizations. When there is an update, ThreatLocker will research it and catalog any new application definitions to the built-in. This ensures that your Application Control policies will continue to work seamlessly when you apply important security updates.

Monitor Account Activity

Regularly checking your account activity is like reviewing the security footage of your digital life. It helps you catch any suspicious logins or transactions that may indicate unauthorized access.  

Pay close attention to login locations, timestamps, and any unfamiliar devices or activities. If you notice anything unusual, report it to the service provider immediately and secure your account by changing your password and turning on MFA.

Implement Strong Security Solutions

Consider implementing advanced security tools to boost your protection.

For example, ThreatLocker Network Control gives you detailed visibility and control over network traffic, letting you set dynamic access control lists (ACLs) and control inbound and outbound traffic in your network. This helps stop malware from spreading and blocks unauthorized access.

On top of that, ThreatLocker Detect offers real-time threat detection and response, helping to catch and deal with malicious activity as it happens.

By combining strong password habits with these security measures, you can greatly lower your chances of becoming a victim of password hacking.

FAQ

How do hackers get personal information?

Beyond tactics like phishing and data breaches, hackers use other ways to gather your personal information. This can include:

  • Pulling data from what you share online
  • Intercepting your information on unsecured public Wi-Fi
  • Stealing devices

Be mindful of what you share online and take steps to protect your devices and data.

Can hackers see my saved passwords?

Yes, if your device is infected with malware like a keylogger or if your passwords are stored insecurely (e.g., in a plain text file or written down). Using a reputable password manager with strong encryption can help protect your saved passwords.

Can you check if you have been hacked?

Yes, here’s how:

  • Keep an eye on your accounts for any strange logins, transactions, or changes.
  • Run a malware scan with trusted antivirus software and keep it updated to catch the latest threats.
  • Use tools like ThreatLocker Detect, which alerts you to any suspicious activity in real-time.
  • Use free online sources like https://haveibeenpwned.com/ to determine if your email or password has been compromised in a data breach and if it has been published to the dark web.

Take Control of Your Password Security

Overall, knowing how hackers get passwords is essential in today’s digital world. By understanding their tactics—like phishing, malware, brute-force attacks, and data breaches—you can take proactive steps to better protect yourself and your business.

For an added layer of protection, consider using strong security tools like ThreatLocker.

Try a free demo to see how a Zero Trust endpoint protection platform can boost your cybersecurity and take the steps to protect your data and online accounts.

Take control of your organization's security

Request your 30-day trial to the entire ThreatLocker platform today.

Try ThreatLocker