IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more
In-depth

The top 12 password-cracking techniques used by hackers

Some of the most common, and most effective, methods for stealing passwords

Passwords have a terrible reputation, partly due to the poor ways in which people use them, but also because they're just not that secure. They're typically easy to crack - especially if you use simple ones - and in today's age of biometrics and cryptography, passwords are somewhat dated.

The fact that passwords are still the primary method of user authentication is largely down to how easy they are to use. The issue is that we know how fallible they are, there are countless ways in which to crack them, but we still feel they're secure. But no matter how complex you make one, there is always going to be someone out there who knows a way to find it.

We have pulled together some of those ways below, but it is worth noting that most of these techniques will fail in the face of robust multi-layer authentication

12 password-cracking techniques used by hackers:

1. Phishing

Padlock being lifted by a fishing hook on a blue background to symbolise phishing attacks

Shutterstock

Phishing almost needs no introduction given how popular it is. If you work in any IT-based role you'll have dealt with phishing at some point, and if your job involves email you'll have definitely come across it - potentially without even knowing it. Phishing is the practice of attempting to steal user information by disguising malicious content as something trustworthy, like an email attachment or clickable link. The term is generally associated with email, but there are other mediums, such as ‘smishing’ (SMS phishing).

The typical tactic is to trick a user into clicking on an embedded link or downloading an attachment. Instead of being directed to a helpful resource, a malicious file is downloaded and executed on the user’s machine. What happens next depends entirely on the malware being executed – some may encrypt files and prevent the user from accessing the machine, while others may attempt to stay hidden in order to act as a backdoor for other malware.

As computer literacy has improved over the years, and as users have grown accustomed to online threats, phishing techniques have had to become more sophisticated. Today’s phishing usually involves some form of social engineering, where the message will appear to have been sent from a legitimate, often well-known company, informing their customers that they need to take action of some kind. Netflix, Amazon, and Facebook are often used for this purpose, as it’s highly likely that the victim will have an account associated with these brands.

Related Resource

Don’t just educate: Create cyber-safe behaviour

Designing effective security awareness and training programmes

How to define effective security awareness and training programmesDownload now

The days of emails from supposed princes in Nigeria looking for an heir, or firms acting on behalf of wealthy deceased relatives, are few and far between these days, although you can still find the odd, wildly extravagant, claim here and there. 

Our recent favourite is the case of the first Nigerian astronaut who is unfortunately lost in space and needs us to act as a man in the middle for a $3 million dollar transfer to the Russian Space Agency – which apparently does return flights.

2. Social engineering

Speaking of social engineering, this typically refers to the process of tricking users into believing the hacker is a legitimate agent. A common tactic is for hackers to call a victim and pose as technical support, asking for things like network access passwords in order to provide assistance. This can be just as effective if done in person, using a fake uniform and credentials, although that’s far less common these days.

Successful social engineering attacks can be incredibly convincing and highly lucrative, as was the case when the CEO of a UK-based energy company lost £201,000 to hackers after they tricked him with an AI tool that mimicked his assistant’s voice.

3. Malware

Skull mixed within computer code

Keyloggers, screen scrapers, and a host of other malicious tools all fall under the umbrella of malware, malicious software designed to steal personal data. Alongside highly disruptive malicious software like ransomware, which attempts to block access to an entire system, there are also highly specialised malware families that target passwords specifically.

Keyloggers, and their ilk, record a user’s activity, whether that’s through keystrokes or screenshots, which is all then shared with a hacker. Some malware will even proactively hunt through a user’s system for password dictionaries or data associated with web browsers.

Our list continues on the next page with some of the more aggressive techniques available to hackers

Featured Resources

What 2023 will mean for the industry

What do most IT decision makers really think will be the important trends and challenges in the coming year?

Free Download

2022 Magic quadrant for Security Information and Event Management (SIEM)

SIEM is evolving into a security platform with multiple features and deployment models

Free Download

IDC MarketScape: Worldwide unified endpoint management services

2022 vendor assessment

Free Download

Magic quadrant for application performance monitoring and observability

Enabling continuous updating of diverse & dynamic application environments

View Now

Recommended

Threat hunting for MSPs
Whitepaper

Threat hunting for MSPs

10 Jan 2023
IBM LinuxONE for dummies
Whitepaper

IBM LinuxONE for dummies

4 Jan 2023
Six myths of SIEM
Whitepaper

Six myths of SIEM

3 Jan 2023
Storage's role in addressing the challenges of ensuring cyber resilience
Whitepaper

Storage's role in addressing the challenges of ensuring cyber resilience

3 Jan 2023

Most Popular

Dutch hacker steals data from virtually entire population of Austria
data breaches

Dutch hacker steals data from virtually entire population of Austria

26 Jan 2023
GTA V vulnerability exposes PC users to partial remote code execution attacks
vulnerability

GTA V vulnerability exposes PC users to partial remote code execution attacks

23 Jan 2023
European partners expect growth this year, here are three ways they will achieve it
Sponsored

European partners expect growth this year, here are three ways they will achieve it

17 Jan 2023