Top Password Hacking Methods

When do you think the first hack took place? Would you imagine that it came in 1878
when Bell Telephone was started? That’s right. A group of teenagers, hired to run
switchboards, disconnected and misdirected calls. However, the first real computer
hackers started in the 1960s.

Oh, how the times have changed. Hackers are much more sophisticated today. Or are
they? While some technics are highly sophisticated and use specially designed
programs and tools, others are very simplistic and rely on naivete. Here’s a list
of the top ways that hackers hack your passwords.

1) Credential Stuffing
Imagine you’re a hacker buying 100,000 usernames, emails, and passwords on the dark
web. By the way, those credentials were probably hacked from a weak website, blog,
or e-commerce site and then sold on the dark web.

Next, you start testing those credentials against other databases to see if there’s
a match. For example, you could get your list and start testing it against banks,
merchants, and other websites. Once you find a match, you’re in.

Furthermore, all of this can be automated. There are tools that test stolen
credentials across multiple sites allowing hackers to quickly breach new accounts
even on sites with good security.

It’s estimated that tens of millions of accounts are tested each day with the
credential stuffing technique.

2) Phishing Attacks
If you thought that credential stuffing was bad, phishing is even worse because you
are unknowingly giving bad actors your username and passwords.

It’s estimated that nearly 70% of all cybercrimes begin with phishing attacks. For
hackers, they love this technique. It works all too well to steal your information
for their own use or to sell it to others on the dark web.

How do phishing attacks work? We’re glad you asked… It’s pretty straight forward.
Hackers use a technique called ‘social engineering’ to trick users into supplying
their credentials to what they believe is a genuine request from a legitimate
website, vendor or employer.

Phishing attacks almost always come through emails that contain a fraudulent link
or a malicious attachment. When the user clicks on either, the hacker presents a
fake account login page where the user enters in their credentials. Hackers may
also use other forms of interception which as a man-in-the-middle attack to steal
user credentials.

3) Password Spraying
A hacker may only have a list of usernames. This is pretty common. Password
spraying is a technique that tests commonly used passwords against a username or
account. Examples include passwords such as 123456, password, password123, admin
and others.

You may be thinking that this is similar to credential stuffing. You’re right…
Password spraying is very similar to credential spaying. It’s estimated that this
technique is used 16% of the time in hacking passwords and accounts.

Most website and logins now detect repeated password attempts from the same IP.
Hackers use numerous IPs to extend the number of passwords they can try before
being detected. It could be the top 5, 10, or 100 commonly used passwords.
4) Keylogging
Keylogging. It’s not something you want to mess with. Keylogging is used in
targeted attacks where the hacker knows or is particularly interested in the
victim. It’s used to target spouses, colleagues and relatives. It’s also used to
target corporations and nation-states.

This is a highly complicated technique that requires access or compromise of the

victim’s machine via malware. You can find your favorite off-the-shelf keyloggers
and commercial spyware on the internet and dark web.

With keyloggers, it really doesn’t matter how strong your password is. The hacker
can see exactly what you type in for your username and password. It’s great for
gaining access to bank accounts, websites and especially cryptocurrency exchanges
and wallets where fund transfers cannot be reversed.

5) Brute Force Attack

When you think about sophisticated hacks, you probably visualize scenes from movies
like James Bond, Mission Impossible or Borne Identity. Well, brute force attacks
are probably the closest you are going to get to a real word James Bond scene.

It’s a good thing that they are among the least used. Brute force attacks are
difficult to pull off, time consulting and expensive. Hackers use tools like
Aircrack-ng, John The Ripper, and DaveGrohl to attempt brute force attacks on
credentials.

There are two types of attacks. The dictionary attack uses every word in the
dictionary as the passwords. The tools mentioned above can run and test the entire
dictionary in a matter of seconds. The other type involves using the hash of the
plain-text password. The goal is to hash as many plain-text passwords as possible
to find a match. Rainbow tables exist which list the hashes of common passphrases
to speed up the process.

Tips for Creating Strong Passwords

As mentioned, there are sophisticated hacks and simple hacks but one constant –
poor username and password policies and knowledge. Here are the top tips for
creating strong passwords.

1) Use Passwords With At Least 10 Characters

Your passwords should contain at least 10 characters. I know, it sounds like a lot.
Long-tail, complex passwords really are hard to crack. To make your passwords
complex but memorable, utilize several types of characters, a mixture of lower and
uppercase letters, and symbols.

2) Don’t Use Personal Information In Your Passwords

You should avoid using personal information as these are the first options that
hackers try to exploit. Hackers attempting to hack your accounts might already know
personal details like your address, street, phone number, spouse’s name, children's
names, pets names, birthdays, anniversaries, and so on. They'll use that
information as an aid to guess your password more easily.

3) Don’t Use Commonly Used Passwords

This is one of the biggest mistakes you can use with your password. Don’t use
common passwords like “password” or “123456.” These are some of the easiest
passwords to hack and can lead to a serious data breach or access to important
accounts.

4) Don’t Use Common Dictionary Words

This is a really tough one to put in place, but you should avoid using common
dictionary words. Using common dictionary words are often used in brute force
attacks. In addition, using two common dictionary words does not make your password
more secure against an attack. For example, do not use “Red,” “Cars” or “RedCars.”
It’s actually better to misspell or make up words if you can. Instead, use
something like “RedddCarzz.” You would also want to add some other character types
to it as well.

5) Use Complex Passwords With Special Characters

I mentioned that you shouldn’t use common dictionary words. The next step is to add
more complexity by adding special characters. This includes replacing letters with
numbers and punctuation. Here are some ideas to help you create highly-complex,
unusually spelled, and unique passwords.

TotallySecurePasswords! = T0ttallySecur3Pa55w0rd5!

BeyondComplexPass# = B3yondc0mp1exPa$$#

It’s that easy. Use a phrase or word and then mix it with shortcuts, nicknames, and
acronyms. Using shortcuts, abbreviations, upper and lower case letters deliver
simple to remember but protected passwords.

7) Use An Easy to Remember Phrase

It’s really frustrating when you cannot remember your password. One alternative is
to create a phrase and then mix it up by shortening it, adding nicknames,
misspellings and acronyms. This will deliver a password that is easy to remember
but safe. Here is an example.

Use something that you would only know like one of your college house addresses and
how much you paid in rent or when you graduated.

CollegeRoodStHouse$750 = C0llegeR00dStHouse$750$

Make sure to mix up the words.