How hackers guess your passwords

Many people have had their passwords cracked, whether they know it or not. Cyber criminals spend a lot of their time cracking passwords.

11-04-2022 - 6 minute read. Posted in: hacking.

How hackers guess your passwords

Many people have had their passwords hacked, whether they know it or not. Cybercriminals spend a lot of time hacking passwords, and they have a number of ways to do it.

How can hackers guess your password?

There are various methods hackers can use to gain access to your passwords. One simple but effective method is brute force attacks.

Brute force attacks

A brute force attack is an attempt to guess a password or username using a trial and error approach. It is now an old attack method, but it is still effective and popular among hackers today.

Depending on the length and complexity of a code, it can take anywhere from a few seconds to many years to guess the code. In fact, it appears that some hackers go after the same passwords or systems every day for months and sometimes for years.

Types of brute force attacks

A brute force attack can be both online and offline.

Online attacks

A very simple online brute force attack involves an attacker manually entering combinations of letters, numbers and special characters into a login form.

Hackers use dictionaries as a tool. They go through all the words in a dictionary and add numbers and special characters. This simple method is not used very often as it is very time consuming for the hackers.

Another type of online brute force is also done by manually entering password combinations, but the combinations are based on information the hackers have obtained through previous data breaches or cyber attacks.

On the dark web, there are millions of leaked passwords and usernames that hackers can use to hack other passwords and accounts.

Hackers also check variations of passwords, for example by trying both upper and lower case letters, bending words or replacing a number with a character. The hacker may also try to gain access to an account or system by using a commonly used password on many different usernames.

For example, if a hacker wants to gain access to a particular company's accounts, they might try "password123" or "qwerty" on all of their employees' emails - it only takes one employee using a commonly used password for the hacker to gain access.

The last type of online brute force attack is the two types mentioned automated. This means that the hacker uses a script or software program to try many hundreds of variations per second. With several hundred attempts per second, the hacker can make many variations over single passwords.

So if you have one or more of your passwords leaked, you can't just make variations on the same passwords.

Offline attacks

Many services and websites have a limit on the number of times you can try to log in. There are also many sites that require you to enter a CAPTCHA when logging into an account.

This kind of security measure is called "rate limiting" and brute force attacks are one of the reasons why many companies use it. Rate limiting makes it harder for an attacker to use automated brute force, as it takes longer for them to check combinations.

In such cases, the hacker can use offline brute force instead. Hackers can relatively easily access passwords that are encrypted in hashes. Hashes are the result of a hash function that encrypts data and transforms the data into text strings.

When the hacker tries to decrypt a password that has been encrypted by a hash function, by entering a password and having it encrypted in the same way as the unknown password, the hacker can see if the two encrypted text strings match.

In an offline brute force attack, there is no rate limiting, so the hacker can in principle test billions of different combinations per second.

Can hackers guess a strong password?

The risk of having your passwords stolen by cyber criminals through brute force attacks can be reduced by using long, complex and unique passwords. But even if you use strong and secure passwords, there are still ways that cyber criminals can gain access to your passwords.


Keylogging is a technique often used in targeted cyber attacks where a hacker either knows the victim or is particularly interested in the victim.

#What is it?*

Keyloggers are a type of software that records your movements as you type on the keyboard and can be a particularly effective means of obtaining personal information for important accounts such as an online bank account.

How does it work?

Keylogging is a slightly harder cyberattack to carry out because it first requires accessing or compromising the victim's device with keylogging malware. If an attacker manages to install the malwaree on the victim's computer, the keylogging runs immediately.


Most hacker attacks start with a phishing email, so it's an effective way to trick people out of passwords.

What is it?

Phishing is a social engineering attack that attempts to trick victims into giving up their personal information, often by impersonating a legitimate company, organisation or government agency.

How does it work?

The most common form of phishing is email phishing, which contains either phishing links to fake websites or attachments containing malware.

When the victim clicks on the link, they are directed to a phishing website that has a fake login form. The cybercriminals gain access to the victim's details as soon as the victim enters them.

If the victim downloads an attachment, malware will be installed on their computer, giving the cyber criminals access to the entire computer system.

Keep track of all your passwords with a password manager.

It can be very difficult to remember many complex passwords, so it's a good idea to use a password manager.

The password manager is a software program designed to generate strong passwords and store them for you.

The password manager creates very complex and long passwords for all your different digital services. When you open your password manager, you can access and log in to your various digital accounts. Password managers autofill both password and username when you need to log in to an account.

The best password managers are paid versions, such as 1Password or Lastpass.

Author Sofie Meyer

Sofie Meyer

Sofie Meyer is a copywriter and phishing aficionado here at Moxso. She has a master´s degree in Danish and a great interest in cybercrime, which resulted in a master thesis project on phishing.

View all posts by Sofie Meyer

Similar posts