Five techniques cybercriminals use to steal your passwords

Password is often the only thing that stands between a cybercriminal and the user’s personal and financial data, which is why they are currently one of the main targets of their criminal practices.

These keys are the Achilles heel of many people’s digital lives, especially because nowadays the average user has to remember a hundred login credentials, and the number has only increased in recent years.

The cybersecurity company ESET has compiled what are the Five most widespread techniques that cybercriminals use to get hold of passwords people’s access to their accounts.


The most widely used attack technique takes advantage of the human tendency to make wrong decisions, especially when they decide in a hurry. Cybercriminals take advantage of these weaknesses by using social engineering, a psychological scam trick designed to get people to do something they shouldn’t.

The ‘phishing’ it is one of the most famous examples. In this case, criminals impersonating legitimate entities, such as friends, family, companies with which the user has done business, etc.

These emails or texts will appear authentic, but include a malicious link or attachment which, if clicked, will download ‘malware’ or take you to a page to provide personal data.


Another popular way to get passwords is through the ‘malware’ the malicious program. Phishing emails are a primary vector for this type of attack, although you can also fall victim to clicking on a malicious ad (‘malvertising’), or even visiting a compromised website (‘drive-by- download ‘).

As ESET has highlighted, ‘malware’ can even hide in a legit looking mobile app, which is usually found in third-party app stores.

There are several varieties of ‘malware’ to steal information, but some of the most common are designed to record the keys that the user presses on the keyboard or take screenshots of the device and send them to the attackers.


The average number of passwords a person has to manage is estimated to have increased 25 percent year-on-year in 2020. Many people use easy-to-remember passwords and reuse them across multiple sites, but this can open the door to so-called brute force techniques.

One of the most common attacks is credential check. In this case, the attackers enter large volumes of previously stolen username and password combinations in an automated ‘software’.

The tool then tests them across a large number of sites, hoping to find a match. In this way, criminals can unlock multiple accounts with a single password.

According to one estimate, last year there were 193 billion attempted attacks of this type worldwide. One of the most notable victims recently has been the Canadian government.

Another brute force technique is random password testing. In this case, hackers use automated ‘software’ to test a list of commonly used passwords against an account.


Although cybercriminals have automated tools to force password deduction, sometimes they are not even necessary: even the simple guesses – as opposed to the more systematic approach used in brute force attacks – they can achieve the goal.

The most common password for 2020 was ‘123456’, followed by ‘123456789’. In fourth place is the very word ‘password’, password in English.


Although there are many ways to steal a password virtually, it is worth remembering that there are still ways to know a password in the physical world that pose a risk.

This is the case of what is known in English as ‘shoulder surfing’, simply referred to as ‘looking over the shoulder’ in Spanish. This not only affects the credit card pin, and ESET has conducted experiments showing how easily a Snapchat password can be guessed using this system.


To help protect Internet users, ESET has shared a series of recommendations so that users do not end up suffering theft of their passwords.

Some of these tips are recurring, such as use only strong and unique passwords or phrases on all accounts, especially bank, email, and social media accounts. This includes avoiding reusing credentials.

Another recommendation goes through enable two-factor authentication (2FA) or use a password manager, which will store strong and unique passwords for each site and account. It is also important to change your password immediately if a provider reports data theft.

Users should be aware and use only HTTPS sites to log in, do not click or open attachments in unsolicited emails and download Only official store applications.

It is also advisable to use cybersecurity ‘software’, always use updated operating system and applications, be careful with possible ‘peepers’ in public spaces and never connect to accounts from public WiFi networks, in which the use of VPN tools is recommended.

By Editor

Leave a Reply