• Home
  • |
  • Blog
  • |
  • How Hackers Can Steal Your Passwords!

Passwords are one of the obvious things in the area of security. It isn’t only being used in authentication but also in  Cryptography. There are reasons for these as it is very easy to use and cost-effective to implement the password supported security systems than others. One or other way, passwords are always been around in the news for any reason. And, studies say that ubiquity and simplicity nature of passwords made it most attractive for hackers to steal your password. So, in this article, our main focus is to show how hackers can steal your passwords from nowhere. And also we are going to list some of the most common attacks like Credential Stuffing, Phishing, Password Spraying, Keylogging, and Packet interception hackers use to steal your password.

Attacks are broadly classified into two major class. (1) A targeted approach, where the attack would launch the attack against the specific target. And, on other hand, (2) Shoot gun approach, In which attacks are randomly conducted on a wide range of random targets. Here, we are not just going to brief how hackers can steal your passwords, But also, give effective countermeasures so you can protect your passwords being compromised, or at least, you can reduce the like hood of a successful attack.

1. Credential Stuffing:

Before directly landing into the explanation and know what the hell is this. We would like to remember you, somewhere you heard or read the news like “1 million Twitter user accounts are compromised, plenty of LinkedIn accounts are hacked, 10 thousand credit cards information is made available on public site or put on sale.

What Is Credential Stuffing?

The name is comprised of two words ‘Credential’ and ‘Stuffing’. Let’s look at each one intern. ‘Credential’ is nothing more than a claim and proof. Your username is the claim and password is the proof. Now, let’s look at the term ‘Stuffing’. Stuffing implies testing in stolen things mass. If we put up all to gather it becomes ”mass stolen username and password testing’. From where all the data comes for testing? Mostly from dark web and websites which store large credential database.

How Does Credential Stuffing Work?

In this type of attack, hackers exploit the vulnerabilities found on the websites to dump the database, steal the account information, and use them for their use or sell it on the dark web. Millions of accounts are being hacked every day by testing the all possible combinations of usernames and passwords obtained from the stolen database. As it’s a tent to see many users use the same password across different sites. This attack’s severity is considered very high as the attacker can compromise the millions of accounts just in one stroke.

Credential Stuffing Countermeasures:

Now, How can you protect yourselves as a single user from such attacks? To answer this, it’s quite difficult for individual users to keep their accounts safe from this attack. It’s out of their control. Users can keep their other accounts safe by setting up random unique passwords in their other accounts.

2. Phishing:

Most of us receive a lot to spam mails everyday. Sometimes even it is hard to determine the gentle emails from spam. If you open your spam box, you may see emails like you won 1 billion dolour lottery, buy a car at an exciting price, and many property advertisements. To tell you the truth, all spams are not phishing emails. Confused? Let us tell you the main difference between spam and phish emails. Both spam and phish are related to social engineering. In general, regular, reputed advertisements, unwanted junk emails sent to many recipients to sell their product or do marketing are mostly considered spam. But, in the case of phish, phishing is considered as a form of a cyber attack. Cybercriminals create phish emails to deceive people into stealing confidential information like passwords, credit card information, and personal information. Let’s keep spamming aside and carry out our journey with phishing in this article. 

What Is Phishing, And How Does It Work?

This is the most favourite attack-type of hackers. Because this attack doesn’t demand high technical knowledge, here attackers can crack the password just tricking the user into revealing the credentials. To tell how it works, an attacker sends spoofed emails that look like they originated from a genuine source composed of a malicious website or attachment to a large number of random people. When the user sees the email with a fake web link, which says to reset their password, he/she visit the link and supplies the credentials by submitting his/her username and password on the cloned web site believing the site is genuine. This gives the cybercriminal to receives the supplied data. As the attack targets the bulk of users, the severity has set too high for this attack.

Phishing Countermeasures:

There are many technological solutions in the market to prevent phishing attacks. However, you need to increase your awareness against the cyber attacks and follow the cybersecurity best practices for individual users like you. We will introduce you some techniques that would always take edge over any phishing attacks.

  1. Keep Backups up to date.
  2. MFA – Multi-Factor Authentication
  3. Keep change credentials over time
  4. Adhere password policy
  5. Always update all your computers, tablets, and smartphones.
  6. Use antivirus and encryptions.
  7. Follow all email security guidelines.
  8. Use VPN Whenever you need.

3. Password Spraying:

What Is Password Spraying And How Does It Work?

Password Spraying is a technique to attempt a login using a commonly used password. You may think what made it different than Brute force attack? This attack is similar to Brute force in design, but it’s quite the opposite to that.

In this attack, the attacker creates a wordlist made up of the most common passwords. Spray the wordlist across the bulk accounts, unlike, brute force attack, which targets a single user. This attack is proved one of the most effective attacks against passwords, as many users still use the simple and default passwords even today. This attack’s severity is considered very high as the attacker can compromise the millions of accounts just in one stroke.

How To Prevent From Password Spraying Attack?

Prevention of this attack is quite simple. Make sure your password doesn’t appear anywhere in the first 1000 commonly used passwords on the internet and create a unique password which would be very difficult to guess. We urge to use password generators to generate the password which complies with standard password practices.

  1. Use unique passwords.
  2. Use complex passwords with special characters, alphanumeric combinations.
  3. Password Length should be more than 10 char.
  4. Change passwords periodically.
  5. Enable two-factor authentication.
  6. Use password generators.

4. Brute Force:

Somehow, let’s imagine if you got into a position where all your guess didn’t work. You are only left with trying all possible combinations of letters. This is what we call it as Brute Force attack. 

What Is Brute Force Attack And How Does It Work?

This is the most basic form of password guessing attack. The concept of this attack is to figure out the actual password by attempting every possible combination of the characters—the goal of this attack to find out the correct password without infecting the target.

Theoretically, it sounds elementary, but who will try millions and millions of combinations by hand. This is not possible for humans to sit and try all possible combinations. But, there are multiple solutions. There are plenty of tools available to automate this process. As we said earlier, theoretically, this attack may sound very simple. But, pragmatically, it is not that simple. Significant challenges attacked may face are time and resources required to process the massive list of the password. The time and resources needed for a successful attack will increase exponentially with increasing size of the password.

Dictionary attack: This is widely known as a subset of Brute force attack. A list of dictionary words is used as input rather all possible combinations to carry out the Brute force attack.

Measures To Counter Brute Force Attack:

Countermeasures are really depended on where you would apply the attack. Hackers can use this attack to crack the account password and match the document encrypted password. The difficulty lies where the attacker applies this technique.

This attack suites the best to match the document, encrypted key using any automated tools. However, it’s tough to crack the online account passwords as administrators have many options to counter it by setting the time limitations between the two subsequent attempts. It is possible to set to failed attempts limit to a small number, say 5 or 10.

5. Key Logging:

What Are Key Loggers?

Did you know you could be compromised by your keyboards, webcams, microphones, and quite anything that you use to interact with your smart devices? All this could be possible by logging the data of victim with by leveraging the service of loggers. Loggers are too big to describe on this small blog post. Let’s limit the focus only to the Key loggers. Welcome to the worked of Key loggers, a subset of spyware which is designed to capture, store and share the user’s keystrokes with others for any means.

How Key Loggers Work?

Key loggers work like a surveillance camera. It captures each key that you enter like a person sitting behind you and watching all your activities. New loggers, capture screen shots, web camera pictures, audio from the microphone and send all the captured data to remotely sitting operator or just stores in its memory.

How To Check The Key Loggers On Your Device?

Hardware modules are easy to spot as they are visible to your eyes, just you need to recognize them. On the other hand, it’s tricky to detect the software key loggers. The most common sign to detect are:

  1. You may experience your mouse and keyboards behave out of your control.  As like your mouse pointer disappear at one place and went to a different point without your actions. Similarly, your keyboard courser move intermittently without your action.
  2. You may feel that your computer become less responsive or slow in running programs and loading web sites. Some key loggers would kill your system performance by eating up more resources.
  3. Unexpected errors, program interruptions, sometime you may see your system reboot by its own.
  4. You might see your phone and tabs get heated up than normal, and the battery gets dried up quicker than usual.

How Can You Save Yourselves From Key Loggers?

Here are the most common measures to counter the key loggers:

  1. Awareness is the key.  You should gain some knowledge about the key loggers, how they look? What are they up to?
  2. Use a good antivirus programs and run scans from time to time.
  3. Don’t download anything from untrusted websites; don’t open untrusted emails and attachments.
  4. Keep your system and application up to date.

It’s always recommended to have a good antivirus application which

6. Traffic Interception:

Let’s imagine you don’t have or may have a weak password set on your home WiFi router. The insecure network is a gift for hackers. Hackers can connect to your router, and that’s how they can enter your home network. This is something like that they are in the house. They can grab whatever they want. Now you have gotten my point. Yes, when an attacker can steal your things sitting remotely. What not they can do while having direct access to your whole network. They can connect your smartphones, TVs. Computers, and file servers if you have and see and download any data you have.

How Attackers Steal Passwords Using Traffic Interception Techniques?

When an attacker has access to your network, he can sit in between your computer and WiFi router and watch all the network activities performed by you by intercepting all network traffic using any basic packet sniffer programs. This way, he can capture quite anything you enter as an input on the web, that anything could be your usernames, passwords, card numbers, PIN, address, phone number, and everything.

How You Can Protect Yourselves Getting Sniffed By Others?

Encryption and awareness are the best ways to counter the interception attacks.  Don’t leave your home network insecure. Try encrypting your all smart devices with a strong key as much as you can. Stick with the standard password policy. Follow all best practices.

7. Local Discovery:

This is an old school method to discover the password. Let’s assume you have noted down all your passwords somewhere on a paper or a dairy book to avoid getting forgotten.  Imagine what would happen if someone gets access to your dairy book which has all your passwords. This attack may create a high impact because once if your dairy has fallen into the wrong hands, you lost everything.  The severity of this attack could be low as it requires physical access to the victim or his resources. But, it can create a high impact in some cases.

How Attackers Supply Local Discovery Method?

Here are some common local discovery methods listed:

  1. Stealing a document, a piece of paper, or a book which has a password written on it.
  2. Guessing victims’ password based on his nature: favourite movie, actor, words, number, dates, phone number, car number, family members and pets name.
  3. Some of the common social engineering techniques: tricking verbally to reveal his password, impersonating as one of his friend or a known person to reveal, search information from the dust bins.

How You Can Protect Victimizing Yourself From Local Discovery Attacks?

Awareness is the best friend of you. Here are some of the things you should be aware to stop this type of attack to a certain level.

  1. Avoid writing any confidential information on any type of paper resources.
  2. Follow standard password policies.
  3. Never use common dictionary words, pet names and favourite names and numbers which are easy to guess in your passwords. 
  4. Be aware of strangers while sharing any confidential information and social engineering attacks.


we have covered some of the most common attacks like Credential Stuffing, Phishing, Password Spraying, Keylogging, and Packet interception that hackers use to steal your password. The actual list doesn’t end to this list. It’s the prime task of cybercriminals to compromise you by any means. With developing, technologies criminals are developing attack techniques. To be secure from all such cyber attacks, you should how hackers can steal your passwords and develop some defensive techniques against them.

Thank you for reading this article. Please visit the below links to read more such interesting articles. And also Peace leave your comments in the below and let us know your feedback. This helps us to bring more such articles.

About the author

Arun KL

To know more about me. Follow me on LinkedIn Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.