How Cybercriminals Get Your Password (and What You Can Do About It)

You may have heard strong passwords are the best defense against cybercriminals. But why do they need to be so complicated? And how do cybercriminals use weak passwords to access accounts?

Keep reading to see some of the most common ways cybercriminals get your passwords and how you can fight back.

Brute Force

A brute force attack is one of the simplest and most common ways a hacker accesses accounts. This method uses computer programs to try variations of usernames and passwords until they get access. These programs enter random combinations of digits or a list of words to breach whatever accounts they can find. They start with the most common passwords, including “123456” and “password.”

How to Fight Back: Cybercriminals using this method are looking for the low-hanging fruit: users who use basic passwords that are easy to guess. Security experts recommend using complicated, unique passwords for all accounts.

You may notice that some websites will lock you out of an account after several unsuccessful attempts. This could be annoying in the moment, but it means the website owner has defensive measures in place against brute force attacks.

Credential Stuffing

Credential stuffing attacks use stolen credentials to access accounts on other platforms. For example, a hacker may buy a list of stolen usernames and passwords off the internet, then try those credentials on popular websites.

How to Fight Back: It may feel silly to use a new password for every account, but security experts recommend the practice. If you reuse passwords and usernames on different platforms, it only takes one data breach to access all your accounts.

Even if you think your password is safe, you may not know it leaked until it’s too late. You can check if you have any compromised accounts by entering your email at


Phishing attacks convince users to hand their credentials over to hackers. It may seem ridiculous that someone would hand over their password, but cybercriminals are smart. Someone might pose as a business you trust or a person you know. Unless you’re careful, the fakes can be hard to tell apart.

Along with convincing fakes, phishing attackers will use scare tactics to get you to act before you think. They may say you need to take action now to avoid losing your account or threaten to make you pay a fee.

How to Fight Back: Protect your sensitive information by making sure you:

  • Never share your password with anyone, even if they claim to work for an organization you trust.
  • Never enter your password on a website you don’t recognize.
  • Always double-check the website address at the top of your web browser before entering passwords or sensitive information. If it doesn’t match the website's name exactly, it could be a fake version created for a phishing attack.

These are only some of the most common ways cybercriminals steal passwords. If you’re not sure about the passwords you’re using, check out our Keeping Your Accounts Secure With Strong Passwords article.

If you have any other questions, visit our help page or contact a Western State Bank team member today.