How hackers get passwords

And how to prevent them from getting yours
3 mins
Broken password field.

If all you knew about hacking came from TV and movies, you could be forgiven for thinking hackers steal passwords by typing furiously on loud keyboards in dark rooms, racing against a countdown clock and fast-paced techno music.

The truth, while much less dramatic, is actually more interesting.

Here are the most common ways real-life hackers actually get passwords:

Data breaches

The easiest and most common way that hackers get passwords is from data breaches, in which huge amounts of user data has already been leaked or stolen from companies. This data, which often includes usernames and passwords, is compiled into databases and may be sold on the dark web or downloaded freely on forums.

Thanks to the fact that many people reuse their passwords, attackers can use stolen passwords from one company’s data breach to steal accounts at other companies, even if they have stronger security.

Credential stuffing

After obtaining a list of usernames and passwords from one company’s data breach, attackers can try credential stuffing, which is the use of automated bots to try every username/password combination on another website, like a social media site, until one of them works.

Password spraying

If an attacker has a username (or list of usernames) but no passwords, he can still guess from a list of the most commonly used passwords (e.g. 12345, abc123, qwerty) in a technique called password spraying.

Because many sites limit the number of guesses per user, password spraying is most effective when distributed across a wide range of usernames.


A similar but more difficult method is a brute-force attack, in which an attacker attempts to guess all possible passwords until the correct one is found.

Brute-forcing is computationally expensive, but can be successful quickly if the password is short enough, or if the attacker already has some information about the password.


One very effective way to steal someone’s password is to trick them into entering it on a phony login screen, which is a form of phishing.

Phishing works so well because the weakest link in any security system will always be the human factor. It doesn’t matter how sophisticated your security software is; if you can fool a human with the right credentials, you’re in.

Social engineering

Phishing is just one form of social engineering, a broader class of attacks that preys on human gullibility.

Employees at some companies have been conned into giving up passwords by scammers impersonating high-ranking managers over email, text, or even on the phone. It’s a surprisingly effective technique—employees at medium to large companies may have never met their CEO and wouldn’t recognize their voice.


Keylogging is the computing equivalent of a wiretap. But instead of recording audio from a phone, it records all keystrokes made on a computer.

Often installed through malware, software keyloggers can “listen” to your keyboard and send the recorded keystrokes back to their creator, who can then use context to determine which keystrokes make up your passwords.

Shoulder surfing

The lowest-tech option is often the most effective. If someone wants your password and is physically close to you, all they need to do is look over your shoulder.

Default passwords

Some passwords don’t need to be stolen, because they are already known.

That is often the case with many hardware devices that come with default login credentials. If you’ve never changed the default password for your Wi-Fi router, for example, someone could gain access simply by entering username: admin, password: admin.

How to prevent hackers from getting your passwords

So how can you stop hackers from getting your passwords? Make yourself a more difficult target by taking a few simple steps toward better password security:

  • Watch out for phishing attacks. Don’t click any links with suspicious URLs, even if they appear to come from a trusted source.
  • Change the default password on your router.
  • Use 2-factor authentication wherever possible.
  • Don’t reuse passwords. Every account you own should have its own unique password.
  • Strengthen your passwords. Use our random password generator to create strong passwords of any length.
  • Use a password manager. A good password manager can generate and store strong, unique passwords for all your online accounts without straining your memory.