How passwords are Hacked

Can passwords be Hacked?

Everything is hackable! Even Passwords.
The question is never if, it is how.

Your guide trough The Cyber PiotrSec, Your Guide Trough The Cyber

There are 7 main ways passwords are Hacked

Database theft

A popular way to obtain username and passwords is to hack databases.

Today major platforms are an enormous database that helps us interact. Uber database will help you to find food. Tinder database will, I have no idea … And the Twitter database will help you shout your frustration with million strangers.

I’m not an expert in databases, but even I know they get quite complicated. Such complexity can get under control with the right level of security if it is appropriately treated in an organization. Still, even if there are massive efforts, it doesn’t mean databases are unhackable.

Hackers will exploit different vulnerabilities to get into a website, corporation network, and steal data that will contain username and password.

In some cases, data will be encrypted and unusable, and sometimes not. And again this will depend by the organization on how they saved those records.

Wi fi sniffing

We love free wifi because they help us lower data plan usage. Yet such wifi’s are not secure as anyone connected to the wifi can listen in and sniff for your password. Some tools help to sniff those passwords. Wireshark is a great example. Still, it is essential to know this will work with a not secure protocol like HTTP SMTP NNTP POP FTP IMAP.

Yet there are still ingenious ways to bypass HTTPS encryption (mitproxy)

Key logger

A keylogger is a software or sometimes even a device that will detect what you are typing. It will copy every single keyboard stroke and sent the full-length top the attacker.

This can be quite dangerous when you are typing your credentials and passwords. Usually, it will be under a form of software and will be sent to you via email or hidden in downloaded files.

Brute force attack

Hackers can try to decipher login and passwords by trying different combinations of known words, phrases numbers, and more. The way passwords are secured on the effort of the creator or owner of the service. There are security best practices, yet they also can be exploited. For example, commonly, passwords get specific signatures by Cryptographic Hashes.

Such technology creates original text signature for any combination of words or files. If you know such a signature, then you know the password. There are so-called rainbow tables that are lists of most used passwords with its respective SHA256 signatures.

That’s why an additional step to make passwords more secure is salting, a random word that is added to the password to create an even more unique signature. Yet if the salt knows and the password is a common one, then it can still be brute-forced.

Shoulder surfing

Plain and straightforward eye-glazing on your device. To make this attack effective, the attacker has to be physically close to you, yet in some cases, camera’s of the devices can be used. There where cases where cameras, where hacked, to look into the eye movement and guess passwords since your eyes follow your hands on a know keyboard pattern. Or even more straightforward like a hidden camera on an ATM.

Social Engineering

Social engineering is a combination of different ways to manipulate people in disclosing personal information, like in this case, login and passwords. Various techniques depend on the technology used. They can be perpetrated by phone, SMS, email, or also onsite.


Vishing is a social engineering technique where you gather information via phone. It is one of the most successful methods as you use psychological games and pressure to force a person to give the attacker what it needs. Attackers will spoof managers, government officials, or for example, people in distress to create empathy.


SMS social engineering attack is called SMSiShing. It is when the attacker will forge SMS to make you take action like write an answer or click on links that will lead to the download of malicious files. An extremely intriguing attack is when the attacker will pretend to be Google and will ask to reply to the message with the 2FA code.


Phishing attacks

Phishing is still a widespread attack as it is not so complicated, and user awareness is generally low, so it has a high chance of succeeding. Hackers will send an email with links to a fake website that has the resemblance of the one you might use. The email will have psychological tactics to pressure you to write your username and password to unlock your account, review a payment or similar.

Spear phishing

Spear phishing resembles the phishing attack, with the difference that one specific person or department is targeted.

Wailing attacks.

Spear phishing and whaling can be seen as similar, and sometimes they are. With wailing, you are also targeting a specific person that is the big mammal of the company (top executive, etc.)


Sensors today can be extremely sophisticated. They track movement, temperature, interactions, heat, and much more in more significant detail every year. Such sensors can also be exploited by an attacker. Researchers have proved that it is possible to decipher in certain circumstances the vibrations you generate by pressing keystrokes and translate them into comprehensible input.


It is always good to put those attacks in context using probability and complexity.

The probability is meaning the chance that your password is hacked by one of those attacks. The likelihood is highly dependent on the complexity of the creation and execution of the attacks. The more they are complicated, then, the less we will be executed.

In the end, for most hackers that do that for money, they will operate in a business way, where you want to balance the effort with the outcome.
A business will always try to maximize the outcome with the lowest effort possible.

The same thing happens with hacking. You will not find the same amount of sensor exploit as phishing attacks because they are just too complicated.

In terms of protection, you need to know all attacks but be more concearned the constant social engineering attacks rather than a sensor exploits.

The most common attacks are database theft and social engineering.
Bruteforcing may be used to gain access to specific accounts or be part of a more significant attack.

Keyloggers are used in particular cases like when hackers want to know your bank account passwords or when a spying application targets you.

Shoulder surfing often happens inadvertently by people in a queue, the chances that someone will use the overlooked information still exists but is generally low.

Wifi sniffing means prerequisites that you are using open wifi and visiting unsecured websites.

Sensor exploit is extraordinarily complex and rare, but since they make a huge media sensation, then often they are overblown by the public.

Please remember that this graph was created to trigger active thinking. This table is not a universal truth, and it also depends on what you do. For example, if you are an opposition fight in a country with low democracy, then all attacks will automatically move to a high probability since you are a target.

If you find those materials useful and you want to support the development of free Cyber awareness there are many ways you can do so.

Thank you so much!

Share via
Choose A Format
Trivia quiz
Series of questions with right and wrong answers that intends to check knowledge
Voting to make decisions or determine opinions
Formatted Text with Embeds and Visuals
The Classic Internet Listicles
The Classic Internet Countdowns
Open List
Submit your own item and vote up for the best submission
Ranked List
Upvote or downvote to decide the best list item
Upload your own images to make custom memes
Youtube, Vimeo or Vine Embeds
Soundcloud or Mixcloud Embeds
Photo or GIF
GIF format
Send this to a friend