How hackers try to obtain your password

We look at 8 common password cracking techniques and explain how you can protect yourself.

Cyber criminals use a range of techniques to crack passwords

Hackers try a variety of techniques to crack your password. In this blog, we outline these methods and explain how you can protect yourself. 

The good news is there's a simple and free solution. By choosing passwords consisting of three random words, numbers and symbols, you'll be making it extremely difficult for cyber criminals to guess them. Passwords shouldn’t be re-used to prevent criminals committing a password spraying attack so use a different password for every account; especially your email.

Sure, remembering lots of different passwords is far from easy - but that's what secure password manager apps are for.

Here are the 8 common password threats:

1. User disclosure 

When it comes to cyber security, it’s OK to have trust issues! One of the most effective ways to keep your password safe is to simply not tell anybody what it is. Once you’ve shared it with someone, you immediately lose control of how that password is shared by others.

You should especially avoid emailing or messaging your password to other people. Even if you trust the recipient, someone else might be reading their emails. 

Many people write passwords down – but it’s much safer to store them in a secure password manager app, such as LastPass, or consider saving them in your browser if you don’t want to manage a third party application.

2. Social engineering

This is the act of tricking someone into divulging information. A hacker might call you on the phone and say they are an IT professional from your workplace. Under this guise, they might ask you for your password. Make sure you don't fall for these schemes. 

3. Phishing 

Phishing is a type of social engineering attack often used to steal login credentials. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email or text message. It may include a link to a fake (but official looking) website where it asks for your login information, or there may be an malicious attachment that can infect your device when opened.

Here is an example of a phishing email:

The person who received it was not a Chase customer. Thankfully, they realised it was a fraudulent email and did not click the link. A wise decision!

Even if you are a customer, avoid opening links or attachments and go directly to the genuine website to check using your browser to type in the known web address, or contact the organisation / person sending the email directly on established contact details to verify its authenticity. Forward any suspicious emails to the Suspicious Email Reporting Service to

4. Keystroke logging

Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording the keys struck on a keyboard, typically covertly, so that person using the keyboard is unaware that their actions are being monitored. A keystroke recorder or keylogger can be either software or a device plugged into a computer.

Using 2-Step verification helps prevent keylogging attacks. Other countermeasures include installing software updates and using key encryption software.

* To strengthen your resilience to online crime, join as a EMCRC Member for FREE and sign up to our e-newsletter.

5. Wireless sniffing

If someone in your household is having a telephone conversation downstairs, it’s possible to listen in on their conversation by picking up an upstairs telephone. 

Wireless sniffing is a similar form of eavesdropping that can happen on public WiFi networks. If you’re in a coffee shop browsing the web, a cyber criminal within range of that WiFi network can use a variety of methods to intercept information sent from your laptop to the wireless router – such as passwords. 

It can be tricky to prevent a well-equipped and well-placed packet sniffer from plucking up your network traffic, but guidance can be found here

6. Brute force guessing

A brute force attack uses trial-and-error to guess login info. Hackers use a computer to work through all possible combinations hoping to guess correctly. 

Depending on the length and complexity of the password, cracking it can take anywhere from a few seconds to many years. This is why it is important to have a long, strong password. Every character added to your password makes it harder to guess. Adding more keyboard symbols – like numbers and punctuation symbols – adds even more possibilities for the brute force attacker to deal with. 

Tests such as this tell humans and robots apart

To reduce the threat, many websites ask users to prove they are not a robot. This involves a test which is simple and straight forward for any human to answer but which is almost impossible for a computer to solve.

7. Dictionary attacks

A dictionary attack is a method of breaking into a computer or server by systematically entering every word in a dictionary as a password.

Dictionary attacks work because many computer users and businesses use ordinary words as passwords. These attacks also include substituting letters and numbers, for instancePa55word and Ch0colate. To protect yourself against a dictionary attack, choose a password that does not feature a word found in the dictionary.

Also, be careful not to incorporate a set of numbers or word that is related to you and is publicly available online, as cyber criminals may incorporate these into a dictionary attack. For example, if your Facebook account reveals you were born on 15th November 1982, it would not be wise to set your password as ‘Password151182’. 

8. Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA) or Two-Factor Authentication (2FA) is a way of adding another layer of security to your accounts and should be enabled on all accounts where possible. This could be:

Something you know – such as a security question

Something you have – such as a one-time code on an authenticator app, or code sent as a text message to your trusted device

Something you are – your biometrics, such as your fingerprint or facial recognition.

However, be careful what you post online as security questions can sometimes be easily guessed by researching you. For example, if the security question is ‘favourite football team’ and you are wearing that team’s shirt on an Instagram post, the offender will know the answer.

Consider an authenticator app which will generate a one-time code for your additional security measure.  


READ MORE: Cyber threat is real - but fear is wrong reaction


The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.