How hackers steal your passwords (and tips on managing passwords correctly)

How hackers steal your passwords (and tips on managing passwords correctly)

Weak passwords are easy to break; and hackers easily take low-hanging account credentials to steal more sensitive information to perform identity fraud, blackmail, extortion, and other malicious activities.

According to research, “theft of user credentials might even be more dangerous than personally identifiable information (PII) as it essentially exposes the victim's online accounts…”. Email is often used to verify credentials and store information from other accounts, and a compromised email account can lead to further instances of fraud and identity theft.”

How hackers steal your credentials

In spite of rampant reports on data and identity theft, many small-to-medium-sized businesses (SMBs) still believe that they are spared from hackers. Some think their businesses don't hold as much valuable data as larger enterprises and cybercriminals won't target them. Read on and learn how hackers steal passwords from individuals and organizations of all sizes:

Brute force attack

Brute force attacks are trial-and-error sessions done several times per minute using a specialized program and your personal information or words that may matter to you.

It’s not all random though. Some more advanced brute force hacking programs use more targeted words that are likely to be used in passwords. These words are prioritized to make passwords/passphrases with a higher chance of success.


This attack gathers information from company websites or social media sites such as Facebook and LinkedIn to come up with word lists, which are then used to perform brute force and dictionary attacks.

Rainbow table attacks

Though it sounds like something of a board game, this type of attack deals with hashes — i.e., the encrypted values of passwords. The rainbow table contains pre-computed hashes of password segments that, when correctly combined, produce the full hash of the target’s original password. While the more technical approach of this attack could yield faster results, it could also take up a lot of computing power to run.


Phishing is one of the most commonly used password hacks. All a hacker has to do is send an email that contains a link that, once clicked, leads to a spoofed website that prompts the user to give their password or other credentials. In other cases, the hacker attempts to trick the user to download malicious program that skims for the victim's password.

Social engineering

They say that if all else fails, use the simplest trick in the book and do it the old-fashioned way. Social engineering is the use of psychological manipulation to obtain the trust of an unwitting user. For instance, an attacker could drop a seemingly harmless thumb drive in an office. As soon as a victim installs it (usually to obtain information that can help identify and locate its owner), the device will wreak malware onto the system to steal passwords.

How you can stay ahead of data breaches

Think of password protection as the first step to protecting your company's crown jewels. Here are the best practices that will help your business strengthen its security against current password theft techniques:

  • Use long and complex passwords – Whether it's a unique word or a complex phrase, use something that couldn't be easily guessed. With the multiple methods hackers use, chances are, a commonly used password will be cracked more easily.
  • Use a different password for each account you create – Doing so will lessen the chance of getting all your accounts compromised. If you've been hacked, attackers could use the same password to get to your other accounts. If you find it hard remembering all of your passwords, use a password manager to securely store all of your passwords and help generate long and complex ones.
  • Enable two-factor authentication (2FA) – Sites like Yahoo, Google, or Facebook increasingly give users the option of using two types of identification to log in, which makes the process more secure. This could come in the form of a text-based code sent to your devices in addition to a password.
  • Ensure secure connection – If you have remote workers, consider providing a secure VPN connection so users can securely connect to corporate servers while traffic is protected through a VPN tunnel.
  • Implement regular employee training – Your employees must understand the importance of password protection. Train them to recognize and avoid phishing and other social engineering attacks. Also, encourage them to use long passphrases and avoid leaving written passwords at their workspaces.

Stolen passwords remain the most common reason for data breaches. With these best practices, you can establish an effective password security policy and strengthen protection against unauthorized access. To learn more about how you can further improve your cybersecurity efforts, contact our experts at Charles IT. We offer Managed Security solutions that use the latest hardware and software on the market to bolster your network's defenses.

Most tech consulting starts with “Press 1”

We just like to start with “Hello.”