Our digital lives and accounts hold valuable assets—savings we’ve built over the years, reputations we’ve crafted on social media, and intimate messages we share with loved ones. These assets are all protected by one main line of defense: our passwords.

Despite their importance, millions of people rely on weak passwords and poor password habits that make them susceptible to hacking. For instance, 59% of US adults use birthdays or names in their passwords, and 65% of Americans use the same password across multiple accounts. Alarmingly, 13% of Americans use the same password for every account.

Hackers can steal your passwords through various methods, including data breaches, password cracking, guessing, physical theft, and malware. When your password is stolen, cybercriminals can sell your information on the dark web to other hackers or use it themselves to commit crimes. Your stolen password and associated account information can give them access to important accounts, allowing them to steal other personally identifiable information (PII), resulting in financial loss or identity theft.

How do hackers steal passwords?

• Data Breaches: Data breaches are one of the most common ways credentials are stolen. In 2023, over 353 million individuals in the US were affected by 3,205 breaches, a 78% increase from 2022. These breaches can expose usernames and passwords, health information, credit card numbers, social security numbers, and more. Telco companies like AT&T, Verizon, and T-Mobile are frequently targeted by hackers because of the vast amounts of personal information they collect.
• Password Cracking through Brute Force: Brute force is a method of password cracking that involves repeatedly guessing passwords until the correct one is found. There are two main types of brute force attacks: online and offline. Online brute force attacks involve bots trying to guess passwords directly on a live system, often with limitations like lockouts or rate-limiting, which slows down the process significantly. Offline brute force attacks, on the other hand, occur when an attacker has already obtained encrypted passwords (e.g., from a data breach) and can test them without any restrictions. In these cases, a powerful computer can try millions of combinations per second. For instance, a random 8-character password might be cracked in about 8 minutes in an offline attack.
• Credential Stuffing: Credential Stuffing is the automated injection of stolen username and password pairs into several website login forms, in order to fraudulently gain access to user accounts. Since many users re-use the same password and username/email, when those credentials are exposed (e.g., from a database breach or phishing attack), submitting those sets of stolen credentials into dozens or hundreds of other sites can allow an attacker to compromise those accounts too.
• Guessing: Hackers may gather information by researching your digital footprint and attempt to guess your password using what they learn. For example, they may try using the names of your loved ones, your birthday, or home address as part of a password. Cybercriminals are often successful at these attempts, as using such personal information in passwords is common.
• Shoulder Surfing: This refers to stealing information, including passwords, by physically observing the victim entering their information. Techniques can include criminals leaning over when someone is entering their PIN at an ATM or videotaping a user typing in their password. This can happen in an office, a co-working space, a café, or anywhere your keyboard or computer screen may be visible.
• Malware: Malicious links and files can contain malware, which is harmful software designed by cybercriminals. Users might accidentally download malware when they are victims of online scams like phishing attacks. One common type of malware, called a keylogger, will record your keystrokes. With this recording, the cybercriminal can steal your credentials and any other confidential information you type on your computer.
• Social Engineering: This involves using psychological methods to gain the victim’s trust, increasing the likelihood they’ll provide sensitive information. Examples include using an urgent message to cause panic and prompt the victim to hand over information without thinking, or pretending to be a loved one.
• Password Spraying: In password spraying, hackers use a few common passwords to attack multiple accounts on a single website or application. Common passwords like "123456" are low-hanging fruit as many people use them despite knowing they are not very secure. This type of attack allows hackers to access hundreds of accounts on major platforms while avoiding password lockouts that happen with brute force attacks.
• Phishing: One of the most common attacks, phishing occurs when a hacker pretends to be a legitimate entity, such as your bank, and requests sensitive information, such as your password. They may even use a spoofed site, which is a fake login page that looks like the real one, to collect your credentials.

How to Tell Your Passwords Have Been Stolen
If you cannot access your account because the password has been changed, it’s a sign that a cybercriminal has stolen your password and taken over your account. In addition, passwords leaked in data breaches are sold on the dark web. You can determine if one of your credentials is stolen by using a breach monitoring tool, such as haveibeenpwned.com.

How To Protect Your Passwords From Hackers
Here are a few tips you can use to protect your passwords.

• Use Strong, Unique Passwords for Each Account: Cybercriminals often succeed with common passwords because many people still use them. Some of the most common passwords in the world include "123456," "password," "12345," "12345678," "football," "qwerty," and "1234567890." It’s recommended to use a password with at least 16 characters, including upper and lower case letters, numbers, and special symbols. The password should be random, with no dictionary words or personal details like birthdays. Having unique passwords for all your accounts makes them difficult to remember, but using a password manager will help. Password managers store your passwords in a vault that can only be unlocked with your master password—the only password you need to remember.
• Change Your Passwords When Breaches Occur: Use a dark web monitoring tool to learn when data breaches occur and compromise your accounts. When notified that a password has been compromised, change it immediately.
• Learn to Recognize Phishing Attempts: Identifying phishing attempts has become more complicated in a world where AI can effectively imitate the writing of real people. Phishing can appear in emails, texts, or other messages and often claim the user needs to complete an urgent task to avoid losing money or face some other consequence. The message may ask the user to hand over account information or PII like a Social Security number. To learn how to spot phishing and other dangerous spam messages, read more here.
• Clear Cookies Regularly: Cookies create a profile of you and your browsing habits. Because they store sensitive information like session tokens, hackers can use them to access online accounts or perform unauthorized actions. For example, attackers can steal session cookies and impersonate authenticated users to gain access to their accounts. Clearing cookies on your browser can help protect your online privacy and prevent tracking.
• Use Multi-Factor Authentication (MFA): MFA adds an extra layer of security by requiring two or more verification factors to access your account. This significantly reduces the chances of hackers gaining access to your accounts, even if they have your password.
• Keep Your Software Updated: Ensure that your operating system, browsers, and all applications are up to date. Updates often include security patches that fix vulnerabilities hackers can exploit.

And, switch to a secure mobile carrier, like Cape:

Cape is a cellular service with security and privacy as first principles. Cape subscribers are able to enjoy the same high speed, unlimited talk, text, and data, without having to sacrifice their peace of mind or privacy.

At Cape, customers don’t have passwords–we don’t find them to be a secure way to manage accounts and the sensitive information they hold. Instead, Cape uses a cryptographic challenge response protocol based on public private key pairs. Each Cape customer randomly generates a 24-word passphrase, which is used to derive a private key that is stored securely on your device. This means that even if Cape were breached, hackers would not be able gain access to your account.

By rethinking and rebuilding telco from the ground up, with security and privacy as first principles, we also offer the following features:

• Spam Protection: Passwords are often compromised through phishing, which is increasingly being delivered via SMS (sometimes called smishing). To protect our customers from spam messages (both annoying and dangerous) Cape uses real-time AI machine learning technology to proactively fingerprint and block most spam. Our model learns the credibility of phone numbers and hyperlinks, filtering out unwanted calls and messages before they ever reach your device.
• SIM Swap Protection: Another way that fraudsters can circumvent your password is by SIM swapping you, and stealing your phone number. With your stolen phone number, they can receive one-time passwords or authentication codes and reset the passwords on your accounts with “Forgot my password” type options. SIM swaps occur when scammers compromise an insider at your carrier or use stolen information, like personally identifiable information (PII) or security question answers, to pretend to be you and convince a telco support agent to switch your phone number to a new device, controlled by the scammer. SIM swappers have done this by bribing telco support agents or stealing the support tablet directly from a carrier's store. At Cape, we believe that human-in-the-loop procedures for handling sensitive customer requests are inherently less secure. Cape support agents and employees do not initiate port-outs on your behalf; only you can initiate a port-out, using your own 24-word passphrase and our cryptographic challenge response protocol. Cape never has access to your 24-word passphrase or the private key material derived from it.

Alongside the other steps and best practices we discussed in this blog post, switching to Cape is a major step you can take to protect your passwords and accounts. Read more here about how Cape can prevent your phone from being hacked as well. In an increasingly digital world, it’s important to stay vigilant and continue to prioritize your digital safety and privacy.

Cape is launching soon. Sign up for our waitlist below.