Skip to main content

Let’s look at the various ways passwords can be hacked

Creating a stong password can deter but not prevent cybercriminals using several methods to hack your password, but the easiest one is simply buying your password from the dark web. For many years, passwords were considered to be an acceptable form of protecting privacy when it came to the digital world. Moreover, as cryptography and biometrics started to become more widely available, the flaws in this simple method of authentication became more noticeable. This is a big business, selling and buying your login credentials on the black-market, and if you’ve been using the same password for many years, chances are it’s been compromised; but if you’ve been wise enough to keep your passwords off the aggregated market lists, cybercriminals have to crack them, and if that is the case, they’re bound to use one of the several methods which I will explain below.

Brute Force Attack

This attack tries to guess every combination in the book until it hits on yours. The attacker uses a software program to try and use as many combinations possible in as quick a time as possible. Hackers have unveiled computer programs that can crack 8-character passwords in less than six hours. Attempting over 300 billion guesses per second. Generally, anything below 12 characters is vulnerable to being cracked; hence why it is important to have a longer password character.

Dictionary Attack

This hacker is essentially attacking you with a dictionary, whereas a brute force attack tries every combination of symbols, numbers and letters, a dictionary attack tries a prearranged list of words such as you find them in a dictionary. If your password is indeed a regular word, you’ll only survive a dictionary attack if your word is wildly uncommon in multiple phrases.


The most awful of tactics is when a cybercriminal tries to trick, intimidate, or pressure you through social engineering into doing what they want. A phishing email may tell you that there’s something wrong with your credit card account, then direct you to the click a link, which takes you to a fake website built to resemble your credit card company. The scammers stand by, hoping the ploy is working and that you’ll now enter your password. Once you do, they have it. Phishing scams can try to entrap you through phone calls too. Be leery of any robocall you get claiming to be about your credit card.

The national institue of Standards and Technology (NIST) issued its first new Password Guidelines, updated February 2020.

Weak passwords are still very common. Many people still use passwords like “password”, “abcdefg” and “12345678” to log into secured site like bank accounts, email and credit cards. If this is you, please change your password immediately. Your passwords grant access into your personal kingdom, so you are probably thinking, what are the best practices to create a strong password to protect your accounts.

Some Basic Rules:

Never use sequential numbers or letters, create strong passwords – come up with unique passwords that do not include any personal info such as your name or date of birth. Keeping in mind the nature of a brute force attack, you can take specific steps to keep them at bay, last but not least; change your password regularly. Some tips to help you with stronger password best practices:

  • Making the password long and complex is the most critical factor.
  • The more you mix up letters (upper-case and lower-case), numbers and symbols, the more secure and potent your password.
  • Avoid using common substitutions or words that can be found in dictionary’s as password crackers will also understand the usual substitutions. Whether you use DOORBELL or DOOR8377, the brute force attacker will crack it with equal ease.
  • Avoid recycyling old passwords. 
  • Never text or email your passwords.
  • An effective way to maintain your overall password hygiene is to use a password manager. A password manager helps you create stronger passwords based on some of the best practices stated above.
  • Use different passwords for different accounts.

Ensure your password is not just a single word, multiple words will confuse the attacker and more importantly, use multiple phrase methods with a twist. Choose bizarre and uncommon words. You can add random characters in the middle of your words or between the words.

Security-conscious websites will hash itts users’ passwords so that even if the data gets out, the actual passwords are encrypted. Other websites don’t bother with that step. Before starting up accounts, creating passwords and entrusting websites with sensitive info, take a moment to assess the site. Does it have HTTPS in the address bar, ensuring a secure connection? Do you get the sense it is up on the newest security standards of the day? If not, think twice about sharing any personal data.

I also have a seperate blog on multifactor authentication (MFA) which adds an extra layer of protection (which becomes your first layer of protection should your account details ever get leaked). These have become the new industry standard for effective security best practices. The best and mose secure MFA method is to use a specialized app for your smartphone. Though implementing these recommendations won’t make you comply with the regulations mentioned above, these will serve as a good starting point in ensuring information security and remember, if you ever feel that your password may have been comprimised, it’s important to change it as soon as possible.