8 most used methods by hackers to steal passwords

The Big 3 tech companies, Google, Apple, and Microsoft, have committed to ending the use of passwords by 2023 . Until that moment arrives, passwords remain the main access key to our email, bank accounts, subscriptions and all kinds of applications and digital goods.

When it comes to stealing passwords , hackers and other cybercriminal fauna have different techniques to seize the ‘loot’ of the victim. Next, we review some of the most used methods.

The 8 most used methods by hackers to steal passwords

As they say, “knowledge is power”, and in this case knowing the techniques used by hackers is great for preventing these crimes much more efficiently. One last tip before we get started: turn on 2-Step Verification on all your accounts. This will help ensure that all the weight of account security does not fall solely on the access password.

1- Dictionary of frequent passwords

Hackers have lists that include the most used passwords by users over the years. These types of lists are known as “attack dictionaries”, and they are basically used to try all the passwords on the list one by one until the correct password is found.

Passwords like “123456”, “qwerty”, “password”, “111111”, “abc123” and the like are some of the most common passwords. Don’t fall into such a basic mistake and use complex passwords (at least 9 characters with uppercase, lowercase, numbers and some symbol). In this article you can see a list of the most common passwords in Spain in 2021.

The 20 most used passwords in Spain last year.

2- Brute force attacks

Brute force attacks consist of trying all possible combinations until the correct password is found. These types of attacks take complexity requirements into account , so it doesn’t matter if the victim uses uppercase, lowercase, numbers, etc.

In the end, everything is a matter of time. The longer and more complex the password, the more time the hacker will need to find the correct key. The good thing is that if the password is complex enough, the time needed to crack it is so high that in practice it will be almost impossible. Hence the importance of always adding a couple of symbols to our access key.

3- Rainbow table

This type of hack consists of attacking a password offline . In such cases, the cybercriminal will have obtained the victim’s password, but it will be encrypted. For example, you can have an encryption key that is “ef24e1ae340e80aa8f40479e444233b3”.

With that key you will not be able to access any site. To discover the key, what it will do is try different passwords (normally from a dictionary or list prepared for the occasion) and pass them through an encryption algorithm until it finds the result “ef24e1ae340e80aa8f40479e444233b3”.

This trial and error method can take a lot of time, and that’s where rainbow tables come in. These types of tables contain thousands of potential passwords with their respective encryption hashes , which greatly reduces the time needed to break the encryption.

4- Keyloggers

Keyloggers are a type of malicious program or malware that are responsible for recording everything that the user types on the keyboard of their device. This would include users and access passwords (in addition to conversations, URLs and anything else that can be typed with a keyboard), with the serious danger that we would be exposing not one but all our passwords.

The danger of keyloggers is that they can infiltrate our system in different ways and variants. To avoid this type of harmful virus, avoid pirated apps and any other software or content of dubious origin.

5- Phishing

Both brute force attacks and attack dictionaries take time and are also only really effective with weak passwords. For this reason methods such as ‘phishing’ have become so popular in recent years.

Phishing consists of supplanting the identity of another person or company so that we voluntarily give our password to the attacker. In practice, this usually translates into a false email or SMS from our bank, Paypal and the like informing us that we must change our password if we want to continue using the account.

Then we will be redirected to a page with a supposedly credible appearance, using the same designs and logos of our bank. Of course, this page will be controlled by the hacker for the sole purpose of getting our password.

In this Avast antivirus post we can see some of the most used phishing scams in 2022.

6- Spidering

The ‘spidering’ technique is a type of dictionary attack, but customized specifically for the victim . Rather than brute force passwords, spidering attacks use related passwords that can be crafted by sniffing for terms associated with the victim.

To get that custom dictionary, attackers can use ‘spiders’ ( hence the name) to scour the internet for those related words that the user might be using as a password.

For example, if it’s a company that makes chocolate milkshakes, the hacker will likely be looking for related passwords like types of dairy, cocoa, etc.

It should be noted that these types of attacks are usually directed against institutions or companies.

7- Social engineering techniques

When experts say that the human factor is the weakest link in the security chain of our online accounts, they say it for a reason. Now you can have the most complex password and the most exhaustive verification methods, which will be of no use to you if someone calls you on the phone pretending to be Banco Santander, Iberdrola or Vodafone, and you give them your password voluntarily.

The problem with these types of attacks is that they are very effective when they catch us off guard or unaware. To avoid being a victim of this type of theft, remember that your bank or trusted entity will never call you by phone or ring your doorbell to ask for personal data or passwords.

8- The look over the shoulder

We end up with the most rudimentary method of all, and probably the oldest on the entire list. It basically consists of walking past the victim’s computer or smartphone and taking a look at the keyboard/screen to see the password firsthand.

It may seem a bit crappy, but it’s still effective. Especially if we are in a cafeteria, library or bar with a high capacity and a large flow of people


Leave a Comment