How Passwords Get Hacked

PHP repository exploited by hackers

How many passwords do you use in a given day?

Everything on the internet requires a password. It can be tough to keep track of them all and keep coming up with strong passwords. For proof, listen to the grumblings in most office buildings on the day passwords are set to expire.

The disdain for passwords leads to a lot of bad password practices. This includes reusing passwords or keeping them basic. But steps to make passwords easier to remember also makes them easier for hackers to guess.

How Passwords Get Hacked

To hack a password, first an attacker will usually download a dictionary attack tool. This piece of code will attempt to login many times with a list of passwords. Hackers often publish passwords after a successful attack. As a result, it is easy to find lists of the most common passwords with a simple Google search.

The attacker will then load the dictionary attack tool with a list of passwords. The tool will attempt every password until finding a match. Now, the attacker can log in with administrator credentials and install a backdoor for future entry. With a backdoor in place, the hacker can begin installing additional malware and other malicious code that damages your online presence.

The speed and success of a password hack will vary depending on whether it is an offline attack or an online attack. An offline attack allows an attacker to leverage the full power of their device, which will vary depending on the attacker’s setup.

For example, offline password cracking could make up to 2 million attempts per second when leveraging the power of multiple GPUs. If the attacker has access to a botnet of infected machines, they can speed up the process by using the resources of those devices. A very simple password can be hacked this way in a matter of minutes.

An online attack is much slower. There are constraints set by the victim web server and the application (e.g WordPress) that can hinder the attempt rate. A common example of such a constraint is limiting the amount of password attempts. This will slow down the attack, but attackers won’t stop there.

Next, they will try techniques like credential stuffing. The hacker will find a more tailored password list created from passwords stolen from previous compromises. This is why using complex and unique passwords is key to protecting your website.

Best Password Practices

The best passwords will not have any obvious combination of numbers or letters. That means most easy-to-remember passwords with names, words, and dates won’t cut it. If you can read the password as a word or phrase, a hacker using automated tools will be able to guess it. A good password is much more complex.

To make a password more complex, you will want to make it longer. More characters gives a password a lower chance of being guessed in a dictionary attack. A mixture of lower- and uppercase letters, numbers, and characters is also recommended

Unfortunately, complex means a bit more than replacing the letter “a” with an “@” or an “!” in place of an “i.” Adding a couple random numbers won’t work either. Many people use these tricks and hackers are well aware of them. This hardening technique may buy you a couple extra seconds against a hacker, but they can still get in.

To get a completely secure password, it will also need to be completely unique. If the password was ever used, it may be in a list and more vulnerable to a dictionary attack or credential stuffing. The best passwords are going to look like a random string of characters, numbers, and symbols. Imagine a cat running across a keyboard as you go to type in your password. A secure password should look like that.

Passwords should never be reused on multiple accounts. This increases the chances of a hacker being able to gain further access with the same credentials.

Now you know the best way to make and protect your passwords. Yet, the biggest question on your mind is likely, “How am I supposed to come up with all these passwords, yet alone keep track of them all?”

Using Password Managers

The bad news is that you shouldn’t keep using things like your favorite’s pet’s name or quotes from Caddyshack as a password. But the good news is that making and remembering complex passwords is not difficult. In fact, it’s very easy to do with a password manager.

A password manager is a service that generates unique, complex passwords and saves them in a secure vault. You can then use a browser extension and mobile app to auto-fill usernames and passwords. It makes keeping your passwords secure much easier.

Most browsers and mobile operating systems offer built-in password managers. But it’s recommended to use a third-party manager like LastPass, KeePass, or Dashlane. The built-in browser managers lack many of the best features of more dedicated services.

It’s worth noting many password managers do cost money. While LastPass, KeePass, and Dashlane do offer free versions, they may not work for all users. But the paid accounts cost only a few dollars a month. That’s a small price to pay to get rid of the headache of worrying about passwords.


Hackers have been finding ways to crack or compromise passwords since the day they were invented. The only thing more constant about passwords is the struggle to create and remember them.

Good password practices don’t have to be a taxing chore. Password managers take the burden off of creating and storing unique and complex passwords. It is the easiest way to prevent hackers from guessing your credentials, but the password could still be stolen and used by an attacker using different methods like keyloggers or MiTM attacks. This is why nowadays it is recommended to use additional authentication measures like multi-factor authentication.

But cybersecurity doesn’t stop with good passwords. Hackers have a full arsenal of malicious weapons to gain access to websites. You may want to consider our Website Security Platform  for a more robust cybersecurity solution.

You May Also Like