How Hackers Actually Get Your Password (And How to Stop Them)
Affiliate disclosure: This article contains affiliate links. If you click a link and make a purchase, we may earn a commission at no extra cost to you. Our editorial recommendations are never influenced by commissions — read our full disclosure policy.
The Hollywood Version Is Wrong
In films, hackers crack passwords by running supercomputers through combinations until they find the right one. This happens, but it is not how most people get hacked.
The reality is less dramatic and more preventable. Here are the actual methods, in order of how commonly they affect ordinary people.
Method 1: Credential Stuffing (Most Common)
You have a username and password on a forum you joined in 2016. That forum was breached. The breach data was sold on the dark web. An automated tool tries your username and password on Gmail, Netflix, your bank, Amazon — every major service.
If you reused that password, the attacker is in. This is credential stuffing. It is responsible for the majority of account takeovers against ordinary people.
How to stop it: Use a unique, generated password on every site. A password manager makes this automatic.
Method 2: Phishing (Second Most Common)
You receive an email that looks exactly like it is from your bank. The link goes to a website that looks exactly like your bank's website. You enter your username and password. The attacker has them.
Modern phishing is sophisticated. The emails are well-written. The fake sites have valid SSL certificates (the padlock in your browser means nothing for phishing sites — it just means the connection is encrypted, not that the site is legitimate).
How to stop it: Never click links in unexpected emails. Go directly to your bank's website. Use a password manager — it will not autofill credentials on a phishing site because the domain will not match.
Method 3: Password Spraying (Targeted)
Rather than trying many passwords on one account (which triggers lockouts), attackers try one common password against many accounts. Passwords like "Summer2026!" or "Welcome1" are tried against millions of usernames.
This targets accounts with weak or predictable passwords. If your password includes your birth year, a capitalised first letter, or ends in "!" — it is in the spraying lists.
How to stop it: Generated random passwords. They are not in any dictionary or pattern list.
Method 4: Keyloggers and Malware
Malware on your device records everything you type, including passwords. This is less common than credential stuffing for most people, but it is catastrophic when it occurs because it captures passwords that have never been in a breach.
How to stop it: Antivirus software, keeping software updated, never downloading software from unofficial sources.
Method 5: SIM Swapping (Growing)
An attacker calls your mobile carrier, convinces them you are you, and gets your phone number transferred to their SIM. Now they receive your SMS 2FA codes. This is used primarily against high-value targets.
How to stop it: Use authenticator apps (Authy, Google Authenticator) instead of SMS for 2FA. Set a PIN with your carrier for account changes.
The Pattern
Every common attack method has a straightforward defence. Unique passwords (via password manager) stop credential stuffing. Authenticator 2FA stops phishing. Antivirus stops keyloggers. The defences are not complicated — they just require setting them up.
Written by Øyvind — NorwegianSpark SA.
Reviewed by Øyvind — NorwegianSpark · Last updated: 7 April 2026