How Does a Password Get Hacked?

Passwords are the keys to our digital lives. We rely on them to access everything from our social media and online shopping accounts to our bank accounts and health records. By design, passwords are a secure way of protecting our online identities and personal data. Unfortunately, hackers are constantly finding new and increasingly sophisticated ways to illegally access passwords, leaving many of us vulnerable to online attacks.

At Key, we believe knowledge is power, and arming yourself with information is your first line of defense. So let’s take a look at five of the most common ways criminals can hack your passwords

Credential Stuffing: Reuse abuse

Credential stuffing is a method where the hacker uses login information that has been previously leaked in a data breach. Hackers often buy these leaked credentials on the dark web and then use them to try and log in to other accounts. This method is effective because many people reuse passwords across multiple accounts. If one account is hacked, the hacker can then try that same password on other accounts and gain access.

  • Tip: Create unique passwords for each of your online accounts.

Dictionary Attacks: The ABCs of hacking

A dictionary attack is a “brute force” method of obtaining passwords—meaning the hacker uses a trial-and-error approach, entering countless words and phrases until they find one that works. With dictionary attacks in particular, criminals develop an extensive dictionary of common password phrases, and then employ software to automatically try millions of combinations until they find the right one.

  • Tip: When creating a password, avoid using real words and include a variety of letters, numbers, and characters.

Keylogging: For the voyeuristic hacker

Keylogging is a method where the hacker installs software on a victim's computer—either through physical access or via a malicious link—that records all keystrokes. This allows the hacker to see everything the victim types, including their passwords. Keylogging can be difficult to detect because the victim may not even know that their computer has been compromised.

  • Tip: Install antivirus software. Always lock your computer to prevent others from accessing your device, and avoid clicking suspicious links and links embedded in unsolicited emails.

Password Spraying: A wider approach

With this technique, the hacker uses a few common passwords and tries them on multiple accounts. For example, they may try "password123" on hundreds of different accounts until they find one that works. This method is less likely to be detected because it avoids triggering suspicion from multiple failed login attempts.

  • Tip: Never use simplistic or commonly used passwords like “12345” or “qwerty.”

Phishing Scams: The fake bait method

Phishing is a common technique used by hackers to trick people into giving away their passwords. The hacker creates a fake login page that looks virtually identical to the real login page of a legitimate website. They then send an email or a message to the victim, asking them to log in to the website to verify their account details. Once the victim enters their login information, the hacker can use it to access their account.

  • Tip: Install antivirus software and be wary of unsolicited emails urging you to click a link to sign in. When possible, avoid clicking embedded links—visit the website directly from your browser to sign in.

Let’s fight fraud. Together.

Passwords are the first layer of security for our digital lives. To keep yours protected, use strong, unique passwords for each account and enable two-factor authentication whenever possible.

When you initiate an interaction with KeyBank, we may ask for your information, such as the last four digits of your Social Security number, login ID, or a one-time passcode to verify your identity. However, be cautious of unexpected requests by phone, text, or email for full Social Security number, login ID, or other personal information when the communication was not initiated by you. Verify these requests by contacting a known KeyBank resource (e.g., a local branch, 1-800-KEY2YOU®) before providing any sensitive information.

Staying informed of the latest fraud trends is a crucial step in safeguarding your personal data from cyber threats—and KeyBank is here to help you do just that. Learn more about our commitment to cybersecurity at key.com/fraudprevention.