How Do Hackers Steal Passwords?
Movies often depict password cracking by showing lots of green letters & numbers whizzing down a screen.
But the reality is far less glamorous, and there's actually many methods by which criminals can (and do) steal passwords.
If we have an understanding of how hackers steal passwords & break them then this can help us to understand what makes a good password - and how to look after it.
This is the 1st page in our guide on the technical aspects of passwords, including how hackers manage to steal passwords & break them. See also:
Jump straight to topic:
Historically many of the biggest thefts of passwords (in terms of numbers taken at one time) have been through active hacking attempts by organised criminals.
Stealing from a website:
This is one of the most high profile methods by which criminals get passwords, simply due to the sheer number of account details that can be taken from a major website in one go.
- Example: In 2018 the MyFitnessPal health app and website was hacked and millions of passwords, along with usernames and email addresses, were stolen.
How websites protect our passwords is not something we can control, so instead we should assume every website will eventually be hacked. This is why we should all use different passwords on every website, to make sure the hackers of one website can't access our accounts anywhere else.
Eavesdropping / Interception:
If your wifi connection isn’t secure then a nearby hacker with the right tools will be able to grab your password, such as when you're using public wifi in a cafe or hotel.
- Example: Every year at the "DefCon" security conference in Las Vegas a big screen shows intercepted usernames & passwords, showing just how easy it is to sniff passwords from the airwaves.
To avoid this follow our guide on how to use public wifi safely.
Searching the web:
Some websites are simply just poorly configured, with passwords stored in spreadsheets or text files that are left open to the world. This mostly affects staff or website administrative passwords, rather than home users.
- Example: Using the correct Google search some of these passwords can be found, such as filetype:xls password
If you're the administrator of a website then be extremely careful about what you allow to be public. Perform regular searches on Google against your site (using the "site:" operator) to see what is visible.
Viruses can sometimes be used to grab passwords too, sitting silently on your PC and feeding your passwords (and possibly other information) back to the attackers.
Some viruses exist which watch every keyboard key press that you make, recording your passwords as you type. This is known as "keylogging".
- Example: "Dridex" & "Zeus" are some common viruses (often spread through infected email attachments) that steal banking logon details.
Protect yourself from viruses by learning to identify phishing emails, keeping your computer software up-to-date, and by installing a good antivirus tool.
When you select "Remember me" as you login to a website your web browser will remember your password to autofill for you in the future. This data should in theory be securely protected, but with the right tools or viruses these can be extracted by hackers.
- Example: Whilst rare, this type of attack does happen. In 2013 a virus posed as a video on Facebook, managing to infect 800,000 computers. Legitimate tools even exist to let you find passwords on your own PC!
Whilst browser manufacturers have hugely improved how they protect stored data in recent years, there are still many ways in which "stealer" viruses can nab your passwords, as Kaspersky recently described.
Try to avoid letting your browser save your passwords - use a password manager as a secure alternative instead.
Passwords aren’t always grabbed by technical means - it can instead be as easy as taking advantage of basic human nature.
Fraudsters regularly try to impersonate banks (or other companies) in emails, often asking you to update your password due to a "security incident". They'll include a link to a fake - but convincing - website where they can capture your login details.
Phishing goes on all the time - see our guide to learn how to spot phishing emails.
This is perhaps the most basic method of them all - simply watching you type in your password. Not all criminal activity is planned; sometimes opportunists just take advantage of the situation.
- Example: Shoulder surfing attacks at ATMs is a huge global problem, sometimes with criminals even using tiny pinhole cameras to record people entering their PIN.
Be aware of who's around you when logging into websites if you're in a public area, and always cover your PIN when using ATMs or a credit card.
Finding it written down:
Writing passwords down can be a convenient way to remember them - but also risky, for example if you're pickpocketed or burgled.
- Example: The French TV station "TV5Monde" were once filmed (ironically discussing a cyber attack) with passwords visible on the wall behind them.
If you struggle to remember passwords then a password manager may help, or follow our guidelines if you do want to write it down.
Remembering passwords can be a pain, so its no surprise that many of us focus on choosing ones that are easy to remember. Bad passwords though can be easy to guess, taking just a few attempts by an attacker to get right.
- Example: When the UK company TalkTalk was hacked in 2015, it was reported that the system password was the ludicrously basic "tim".
Passwords can be both strong AND easy to remember - see our ideas for creating strong and memorable passwords.
Human's are inherently weak - we have a natural desire to trust others & to be helpful. Scammers use this to try & trick people into revealing their password, for example by impersonating your company's IT Helpdesk.
- Example: A teenager broke into to the CIA director's email by convincing AOL staff that he was the account owner & had just locked himself out.
Never reveal your password! There is simply no reason for anyone - including banks or IT support staff - to ever need your password.
If you work in IT Support then always follow your company's procedures if somebody asks for a password reset - verify the identity of all callers, and always be cynical of any unusual requests!
If an attacker can't grab your password then they might be able to do the next best thing - resetting it to something of their choosing.
Exploiting the password reset process:
Many websites will ask a user to answer a couple of preset questions to "prove" their identity. However if these answers are easy to guess or research then hackers will have an easy way in.
- Example: This method was famously used by hackers in 2008 to illegally access the emails of the US Vice-President candidate Sarah Palin.
Make sure you never use easy to guess answers to any password reset questions.
Fooling the website provider:
Smooth-talking criminals will sometimes impersonate users in an attempt to persuade technical support into giving them access to "their" accounts.
Sadly there isn't all that much we can do to prevent this type of attack, although enabling 2 Factor Authentication (2FA) might sometimes help.
Exploiting a technical weakness:
Technology is so complex these days that avoiding security bugs can be very difficult. Hackers are forever hunting for new weaknesses.
- Example: The online gaming platform Steam had a flaw in 2015 that enabled hackers to reset anyone's password, whilst Hotmail had also previously had a similar problem. In 2018 Facebook announced a flaw that had meant many accounts could be accessed by anyone.
Unfortunately we ultimately have to trust a website's security, although some attacks can be prevented by using 2 Factor Authentication (2FA).
Are you scared after reading this?! As you can see there are a crazy number of ways by which an attacker can get your passwords - some are more common than others, whilst each has its own unique way in which to defend against it. Some are also out of our control and we have to rely on website developers to keep their own systems strong.
What they all have in common though is the need to:
Make your password both strong and unique for each website - if one password is stolen then you don’t want the hacker to have access to all of your accounts.
Despite the variety of ways that hacklers can get passwords it's still within your power to help keep your accounts secure! See all our tips in our section on Protecting Your Accounts.