8 most common methods used to steal passwords

Most people must have heard the term “data breach”. Surely a lot of people think it was caused by a malicious hacker sitting in front of a screen covered in Matrix-style digital text? Or a powerful supercomputer trying to hack the whole world?

Hacking is all about one thing and that is getting passwords. If someone can guess your password, they don’t need complicated hacking and supercomputer techniques. They’ll just come over, act like you guys do. If your password is short and simple, it’s game over. There are actually eight of the most common methods used to steal passwords. lets see.

Read also: What is penetration testing: stages and methods

1. Dictionary attack

First in the guide, the most common methods used to steal passwords are dictionary attacks. Why is this called a dictionary attack? Because it automatically tries every word in the given “dictionary” against the password. The dictionary here is different from the one you use at school.

In fact, the meaning of the dictionary here is a small file that also contains the most frequently used combinations of passwords. This includes 123456, qwerty, password, iloveyou and the classic hunter2. The table above details the most leaked passwords in 2016.

The table below lists the most leaked passwords in 2020. Note the similarities between the two and be sure not to overuse this very simple option.

To avoid dictionary attack. Use strong, one-time passwords for each account, along with a password manager app. A password manager allows you to store other passwords in a repository. Then, you can use one very strong password for each site.

Read also: 5 sites to create strong and secure passwords

2. brute force

Next, a brute force attack, in which the attacker tries every possible combination of characters. Tried passwords will match the specifications for complexity rules, for example, including one uppercase letter, lowercase letter, decimal character Pi, and so on.

A brute force attack will also try the most used combinations of alphanumeric characters first. This includes the previously listed passwords, as well as 1q2w3e4r5t, zxcvbnm, and qwertyuiop. It takes a long time to figure out the password using this method, but it completely depends on the complexity of the password.

To stay safe from brute force attacks. Always make sure to use a variety of characters and, if possible, use additional symbols to increase the complexity.

3. Phishing

This isn’t just “hacking”, but falling prey to a phishing or spear phishing attempt usually ends badly. Billions of common phishing emails are being sent to all kinds of internet users around the world. Phishing messages usually work like this:

  1. The target user receives a fake email claiming to be from a large organization or company
  2. Fake email requires immediate attention, shows a link to a website
  3. The link to the website is actually linked to a fake login portal, created to look exactly like the legitimate site
  4. Unsuspecting target users enter their login credentials and are redirected or prompted to try again
  5. Theft, sale, or malicious use of user credentials (or both)

The daily volume of spam sent worldwide is high every year, and it accounts for more than half of all emails sent globally. In addition, the volume of malicious attachments is also high, Kaspersky recorded more than 92 million malicious attachments from January to June 2020. Remember that this is from Kaspersky only, so the actual number is much higher.

One way to avoid getting caught in a phishing attack is to increase your spam filter to the highest setting or, better yet, use a proactive whitelist. Use the link checker to check if the email link is legitimate before clicking.

4. Social engineering

social engineering It is basically a phishing scam in the real world. An essential part of any security audit is to gauge what the entire workforce understands. In this case, the security company will contact the company you are auditing. The “attackers” tell the person on the phone that they are the new office tech support team, and they need an updated password for something specific. A confident person could hand over the keys to the kingdom without a second thought.

The scary thing is how often this happens. Social engineering has been around for centuries. Duplication of access to a safe area is a common method of attack and is only protected through education. This is because attacks do not always ask for the password directly. It might be a fake plumber or electrician asking to enter a secure building, etc.

Actually to stay safe from social engineering attacks, it is a bit complicated. Because a successful social engineering attack will be completed when you realize something is wrong. So education and security awareness are your tactics to stay safe from this attack. Avoid posting personal information that could later be used against you.

5. rainbow table

Rainbow tables are usually offline cipher attacks. For example, the attacker obtained a list of usernames and passwords, but they are encrypted. The encrypted password hashed. This means that the password looks completely different from the original password. For example, your password is my password. The known MD5 hash of this cipher is “e169bcf81c7303c476ddcfd194028cc8“.

This may sound nonsense. But in some cases, the attacker will run a list of plaintext zeros through the hashing algorithm, and compare the results to an encrypted cipher file. In other cases, the encryption algorithm is weak, and most passwords have already been compromised, such as MD5 (which is why administrators know the special hash of “my password”.

This is where the rainbow table comes into play. Instead of having to process hundreds of thousands of possible passwords and match the resulting hash, the rainbow table is a large set of pre-computed hash values ​​for the algorithm.

Using a rainbow table can greatly reduce the time it takes to crack a hashed password, but it’s not ideal. Pirates can buy pre-filled rainbow tables containing millions of potential combinations.

Predicting rainbow table attacks is also tricky. Because it provides a variety of attack capabilities. But you can prevent this by avoiding any site that uses SHA1 or MD5 as a password hashing algorithm. Avoid any sites that restrict you to short passwords or limit the characters you can use. Always use complex passwords.

6. Malware/keylogger

Another surefire way to lose your login credentials is to use malware. Malware is spread everywhere, with the potential for serious damage. If the malware version has a keylogger, you can find all of your accounts compromised.

There are a lot of password stealing software. Make sure your computer is scanned with a good anti-malware program. Malware can also specifically target private data or offer remote Trojans to steal your credentials.

In order to avoid malware or keyboard spotter. You should install and update anti-virus and anti-malware applications regularly. Carefully consider your download sources. Do not click on install packages that contain packages and more. Stay away from malicious websites. Use script blocking tools to stop malicious scripts.

7. Spider

In fact, there is a connection between Spidering and the dictionary attack that we discussed earlier. If hackers are targeting a specific organization or business, they may try a series of passwords related to the same business. Hackers can read and rank a series of related terms or use spider search to work with them.

You’ve probably heard the term “spider” before. Search spiders are similar to those that crawl the Internet, indexing content for search engines. Then a custom wordlist of the user account is used in hopes of finding a match.

To stay safe, again, only use strong single-use passwords consisting of random strings and nothing to do with personal, commercial, organizational, etc.

8. Shoulder surfing

Well, this is the last option in the guide of the most common methods used to steal passwords. What if someone just searched while typing your password?

Shoulder surfing sounds a little silly, but it really happens. If you work in a crowded downtown coffee shop and don’t care about your surroundings, someone may be close enough to jotting your password as you type.

Shoulder surfing is a type of data theft where cybercriminals steal private or confidential information by staring over a target’s shoulder.

One way to avoid this attack is to stay alert and monitor the people around you as you type passwords, cover the keyboard, and cover the keys during input.


These are some of the most common methods used to steal passwords. So how do we prevent hackers from stealing passwords? The short answer is that we cannot be completely 100% secure. The tools hackers use to steal our data changes all the time. But we can reduce our exposure to vulnerabilities. One thing for sure is to use strong, unique, one-time use passwords.

Lots of articles 8 most common methods used to steal passwords. Look forward to other interesting articles and don’t forget to share this article with your friends. Thank you…

Leave a Comment

/* */