ESET: How hackers can “steal” passwords

ESET: How hackers can "steal" passwords
© Provided by

Passwords” are the Achilles heel of many people’s digital lives, especially at a time when the average person has to remember dozens of “passwords”, and that number has grown steadily in recent years.

Passwords” are the virtual “keys” for the digital world, offering access to electronic banking, e-mail, social networking services, Netflix, data hosted in the cloud, etc.

With violated “passwords” a hacker can:

  • Steal users’ personal information and then sell it to other criminals.
  • Sell ​​passwords directly, as “dark web” websites market this information roughly.
  • Use passwords to unlock other accounts with the same password.

Cybersecurity company ESET has outlined five key ways hackers steal “passwords”:

Phishing and social engineering

In “phishing”, hackers disguise themselves as friends, relatives, companies you have worked with, etc. The email or text you receive will look authentic, but will include a malicious link, or attachment, to which if you “click”, you will download “malware”, or it will take you to a website to fill in your personal information. Scammers even use phone calls to extract direct “passwords” and other personal information from their victims, often pretending to be technical support agents. This method is called “vishing”.


Another popular way for hackers to get their hands on “passwords” is through “malware”. “Fishing” emails are a major driver of this type of attack, although you can also fall victim to a “malvertising ad” or visit a “drive-by-download” website. “Malware” can even hide in a mobile app that looks legal, which is often found in third-party app stores. There are various types of “malware” that steal information, but some of the most common are designed to record typing, or to take screenshots of the device screen and send them to attackers.

Brute Forcing Attacks

The number of “passwords” that the average person has to manage is increasing by about 25% on an annual basis. Many people use “passwords” that are easy for them to remember (but also guess by someone else) and use them on many different websites. However, this can open the door to so-called “brute-force” techniques. One of the most common are those of the “credential stuffing” type, in which attackers feed into automated software large volumes of “username” / “password” combinations that have been compromised in the past. The tool then tests these combinations on a large number of web pages, hoping to find a match. This way, hackers can unlock multiple accounts with a single “password”. An estimated 193 billion such efforts were made last year worldwide! Another “brute-force” technique is “password spraying”, in which hackers use automated software to test a list of frequently used “passwords” on a user’s account.


Although hackers have automated tools for cracking “passwords”, sometimes they are not even necessary: ​​even simple guesswork —as opposed to the more systematic approach used in “Brute Force” attacks— can do the work! The most common “password” for 2020 was “123456”, followed by “123456789”. In fourth place was the word “password”. Most people use the same “password”, or a derivative of it, on multiple accounts, making it easy for scammers.

Shoulder surfing – Peeking over the victim’s shoulder

Some long-established spying techniques continue to be a danger. These presuppose the physical presence of the attacker close to the victim-user, so that the former has eye contact and can see the keyboard and screen of the latter. A higher-tech version, known as the “man-in-the-middle” attack, which involves wiretapping the “Wi-Fi” wireless signal, could allow hackers who are connected to public “Wi-Fi” networks, to monitor the “password”, as the unsuspecting user enters it, while connected to the same node.

How can you protect yourself from all this?

  • Use only strong and unique “passwords”, or “passphrases”, on all online accounts, especially banking, email, and social media.
  • Do not use the same “password” on different accounts.
  • Enable 2-factor authentication (2FA) on all accounts.
  • Use a password manager that stores strong, unique “passwords” for each webpage and each account.
  • Change your password immediately if a provider notifies you that your data may have been compromised.
  • Only visit websites “https: //”
  • Do not “click” links and do not open attachments in spam emails.
  • You only download apps from official app stores.
  • Invest in security software from a trusted provider for all your devices.
  • Make sure all operating systems and applications are upgraded to the latest version.
  • Beware of poachers in public places.
  • Never sign in to an account if you are on a public “Wi-Fi” network. If you must use such a network, use a “VPN”.


Σᾶς ἀρέσει τὸ ἂρθρο; / Do you like this post?
(Συνολικές Επισκέψεις: / Total Visits: 43)

(Σημερινές Επισκέψεις: / Today's Visits: 1)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.