Discover the Most Common Password Hacking Techniques: Protect Your Data Now!

Known for their technical skills and creativity, cyber attackers use various methods to exploit both technical and human vulnerabilities. From credential stuffing to brute force attacks, here are the techniques they commonly use to steal usernames or passwords.

Common Hacking Techniques Employed by Cybercriminals

Brute Force Attack

This “old and well-known method among hackers” is relatively unsophisticated, explains the CNIL. It involves using software to test every possible combination, including special characters. Depending on the computing power available to the cyber attacker and the number of possible combinations, the time required to crack a password can vary significantly. According to a recent study by Hive Systems, a sequence of 8 digits that has never been compromised before can be deciphered instantly, while a sequence of eight characters mixing uppercase, lowercase, and special characters could take several decades to crack, even with a cutting-edge setup.

Dictionary Attack

This technique is similar to a brute force attack, but with a twist: instead of randomly testing countless sequences of digits and characters, cyber attackers use programs that attempt predefined lists of commonly used combinations to secure accounts. These include dictionary words, dates, proper names (fictional characters, artists, etc.), or combinations often found in data leaks (admin, password123). These programs may also test slight variations of these combinations, like p4ssw0rd. “Fundamentally, dictionary attacks are brute force attacks,” explains NordPass, a password manager developer. “The difference is that dictionary attacks are more efficient as they generally require fewer attempts to succeed”. The weakness of this method is that it is systematically neutralized by a unique password.

Phishing

This is probably the most well-known method. Phishing is a manipulation technique that aims to prompt the user to voluntarily disclose their login credentials or banking information. There are many variants, but the most common modus operandi involves cyber attackers bombarding their targets with emails or SMS messages impersonating a trusted third party, such as a bank or a government agency. These messages typically contain links that redirect to fake login pages or malicious attachments, which users click on due to a false sense of urgency created by the cyber attacker (e.g., paying a fine, threat of account closure, etc.).

Credential Stuffing

Also known as credential stuffing, this technique involves reusing combinations of usernames and passwords obtained from the dark web following data breaches to try to log into other platforms. Often automated, particularly through programs capable of “bypassing basic security measures such as the simplest CAPTCHA resolutions”, notes the CNIL, it capitalizes on the fact that many users reuse the same credentials across multiple accounts. It has a very low success rate, around 0.1% according to some estimates, but remains viable because “these collected sets [from the dark web] contain millions, and in some cases billions of credentials,” explains Cloudflare. “A hacker with a million credentials can successfully hack about 1,000 accounts”.

Keyloggers

Less common but extremely effective, this method relies on the use of keyloggers, which track every keystroke on a keyboard in real-time. Each movement is carefully logged and then transmitted to the cyber attacker via a remote server. Often hidden in an attachment or a rigged file, keyloggers not only allow for the theft of passwords and login credentials but can also intercept private conversations, banking details, or confidential documents.

Shoulder Surfing

This method requires no technical skills but still poses a risk, especially in public places. Shoulder surfing, literally “looking over the shoulder”, involves memorizing credentials by watching a target enter them on their device. An age-old tactic, it is generally used to steal bank details but can also be employed to snatch passwords. “Shoulder surfing is also used to steal PIN codes in places like gas stations, ATMs, and supermarkets,” adds Dashlane.

How to Effectively Protect Your Passwords?

Given these risks, which affect all internet users, several best practices in password management are essential. While no method guarantees absolute protection, adopting these practices significantly reduces the chances of intrusions and sensitive data leaks:

• Create strong, non-personal passwords: using a long and complex combination is the most effective barrier against brute force and dictionary attacks. Ideally, a password should contain at least twelve characters mixing uppercase, lowercase, digits, and special characters. Moreover, it is advised not to use “personal information that could be easily discovered,” reminds ANSSI, such as your mother’s first name, your favorite football club, or your pet’s name.
• Use a unique password for each service: to prevent a domino effect in case one account is compromised, each platform should be protected by a unique combination, following the basic rules listed above. This is important even if the account does not host sensitive data. Why? Because a cyber criminal who gains access to one of your accounts will likely try that password on other services.
• Never write down your passwords: just as you wouldn’t leave your keys in the front door, you should not expose your passwords unnecessarily. While it might be tempting to jot them down on a post-it note lying around in an open space, a .txt file, or the notes app on your smartphone, this habit should be avoided. There is no guarantee that these mediums cannot be accessed, copied, or compromised, intentionally or by accident. The case of the TV channel TV5Monde, which inadvertently revealed the credentials of its social media accounts on the 1 PM news shortly after suffering a cyberattack, illustrates the risks posed by this bad habit quite well.
• Enable two-factor authentication: this additional layer of security involves an extra verification step, such as sending a one-time code via SMS, notification, or through a dedicated app, or using biometric recognition, to confirm the user’s identity. It is now offered by many services, from Gmail to WhatsApp to LinkedIn, and should be activated whenever possible.
• Use a password manager: since it is “humanly impossible to remember dozens of long and complex passwords that are used daily,” points out ANSSI, the simplest solution is to opt for a password manager. These tools, whether free or paid, generate strong combinations of uppercase, lowercase, digits, and special characters, and then store them in an encrypted vault, accessible via a master password. A password manager can also store other sensitive information (phone number, credit card code) and automatically fill in the fields each time you log in.