4 Ways Hackers Steal Your Passwords

You’ve probably experienced it before: You’re going about your day and you read an email saying that your password has been changed on one account, but you never requested that change. Or even worse, you’re probably the victim of a total compromise in which you cannot access any of your accounts, and while all that’s happening, someone else is using your identity and PayPal account to talk and send your money across the Web!

This kind of event could be life-changing, and not in the positive sense of the word. This is why we need to discuss how hackers steal your passwords and the methods they use. We will also show you ways to help prevent this from happening to you.

1: Password Recycling

Perhaps the most common way hackers steal your passwords to multiple accounts is by grabbing it from a document containing leaked passwords from another hacker more skilled than he is. This happens when someone compromises a database on one of the services you use and grabs all the passwords (this is easy if they’re unencrypted) stored in it. Afterwards, he will leak those passwords by posting them into a temporary document publicly. When that happens, a bunch of scavengers take what they can find and try out the emails and passwords of these accounts on PayPal and other known services.

This works because the typical Internet user will use the same password for many of his accounts. To prevent this, just use different passwords and put them on a post-it. Better yet, use a trustworthy and secure single sign-on provider.

2: Wi-Fi Sniffing


When you’re on your phone, tablet, or laptop, the added convenience of connecting to networks outside your home is a trade-off. You’re trading your security for convenience (as in most things in life). While you browse through unprotected WiFi, you’re basically broadcasting your data to everyone. Since your data is sent via radio waves to the router, it will simultaneously reach every connected device. Normally, they ignore the data you send, but someone could be using a WiFi sniffer which picks up any data you’re broadcasting. This will include URLs, passwords, and other private data.

To protect yourself from this, you should use a VPN service. Many VPN services provide encryption in the connection and are compatible with virtually every device.

3: Security Questions


When you recover an account, one of the steps may be to answer a security question before you can reset the password. Often, the hacker will already have complete access to your email account. Security questions are usually a weak excuse for a security measure. Usually they are things like “What city were you born in?,” or “What college did you graduate from?” With access to your social networking page, this is easy to crack. If you have the option of choosing “Other,” write a security question that’s impossible to find the answer to without your help.

4: Dictionary Attacks

Although many sites (like Google) disable an account after three failed login attempts, the dictionary attack remains effective in sites belonging to smaller or less secure organizations. In a dictionary attack, the hacker will run a script that will iterate through every word in a specific dictionary. He starts with commonly-found passwords then goes on to less likely choices. To make this job difficult or impossible, choose a password with at least one capital letter in the middle of the phrase, one space, one number, and one symbol.

Other Methods

If you know any other way hackers steal your passwords to get into your accounts, feel free to leave a comment below and let other readers know!

Miguel Leiva-Gomez Miguel Leiva-Gomez

Miguel has been a business growth and technology expert for more than a decade and has written software for even longer. From his little castle in Romania, he presents cold and analytical perspectives to things that affect the tech world.


  1. re. security questions… they are only weak if you are using the “correct” answer. In many instances, any reply may be used. For instance, what street did you grow up on: “Xram&100”. Would require brute force, it might be easier to just hack the site?

  2. I do something similar to youni, but I created an algorithm based on the question to find the answer. That way you don’t have to remember all the fake answers, but as long as your algorithm stays secret, nobody can access it.

  3. Forgot to add:

    5. Phishing
    Really, it’s a very common way to get passwords. It’s been a while somebody attemted a phishing attack on me but I remember getting these weird IM messages.

    “Hey check out my photo albums on http://msn-secure.photos.mcrosoft.com.am/general-login.php?userid={emailfromsender}&randombunchoftext=somemoretext”
    (yeah, I made that on up)

    Most of them were send with viruses on the sender’s computer but if you are not doing anything with computers as a hobby or for a living, you will fall from this scan.

    They could easily copy paste the source code from the official hotmail.com login page, but instead of sending to information to Microsoft it was send to their own server.
    I don’t know what happens after you really send this information: would they try your combination first to know if it really works? Or do they just store everything? And what happens next? Do people get redirected to the real login page? Or just a blank page? I always wondered this but somehow never tried disclosing false details.

    6. Trojan horses
    It’s a bit related to the previous one, but once a trojan horse is installed on your computer it can listen to your keystrokes and send them to a hacker who will try to find out more information about your account.
    Trojan horses can also create screenshots on a regular time schedule and send them too.

    They can get on your computer due to an email attachment, an online download or (less common, but still possible) due to a security bug in a popular program (Adobe Reader or the operating system used to have a lot of security issues). So keeping your operating system and programs up-to-date is really important. But sometimes better to find a less commonly used application for common tasks: like another webbrowser (Firefox/Chrome instead of Internet Explorer), PDF reader (SumatraPDF instead of Adobe Reader)… But sometimes it’s unavoidable.

    Most of the time they are easily removed with an antivirus or antimalware program, but there are enough cases for people who don’t know how to use this software or people who think that “an antivirus will slow down my computer”, my reply on this is: “but so does a herd of viruses”.

  4. Wireless keyboards using unencrypted transmission.

    Phishing using phone with programmable sender ID I.e. Service Desk.

  5. Putting your passwords on a Post-It is a dumb piece of advice because they can be stolen in the real world as they can be stolen in the virtual world. Instead, I save them in an Excel file that is encrypted with AES 256 bit strength.

    1. Good one. And when someone gains access to the encryption key? Both the post-it idea and the encryption idea leave a lot of potential loopholes. SSO, something else I suggested, closes the loop.

  6. The only methods that work most likely are as follows:

    Malware programms: Different types but all doing bad things to your personal data and sometimes your laptop/PC its the worst thing ever and I had the bad luck to experience it, but nothing happened as I managed to get rid of it.

    Phishing websited: This method is rather weak, as there are people who figure it out that a safe website does not and never will ask for your password for some other website.

    Websites that steal your links “token”: These websites basically take it and use it to get into your account like it would be you, not the him, as many websites even facebook use to recognise you.

    Brute force: The oldest method ever known, its rather not as usefull as the aboves, but it is still something, just to let you know, there are advanced programs and less advanced but most of those programs end up patched after a website with high population does an update.

    The aboves are the methods that would be able to get your Facebook, Twitter, or even worse PayPal information.
    I strongly recommend to avoid downloading programs from strangers that promise you the program will do a “mirracle” and never give your personal information to a website that asks for it, mostly to the ones asking for your password.

Comments are closed.