How Are Passwords Compromised?

In the wake of several cyber attacks the past few months, we thought it'd be best to revisit perhaps the most common security problem: passwords. It should be noted that cracking passwords is not the only way to fall victim to an attack, but it remains one of the top ways steal identities, hijack email accounts, and more. 

Below are four of the most common manners of compromised passwords and what you can do to prevent each. 

Brute Force Attacks

Brute force is basically a trial and error system where attackers try many passwords in hopes of cracking your account. There are even programs that can cycle through hundreds of password combinations in seconds.

This is why it's important to have a unique password. Criminals often start with 'Most Common Passwords' lists and then common words and phrases (even with numbers swapped out with numbers i.e. passw0rd). However, if you construct a long and unique password or passphrase, you should be sufficiently covered (until it's time to change it). 

System Vulnerabilities 

As operating systems continue to improve, sometimes gaps in code can surface. These holes can be exploited by attackers to break password security. Microsoft, Apple, and others are typically quick to offer upgrades to fix these holes which is why you have to keep your system up to date. Without one critical patch, you could essentially be leaving your front door unlocked.


Spoofing sounds like what it is. It involves pretending to be something it isn't. A common spoof, for example, is a site pretending to be a Office 365 popup window. The window says your session has timed out and you need to log in again. Without thinking, you log in and the window goes away. Since you were never logged out, you don't notice anything but the criminal now has your log in information. 

Even worse he or she can now sit back and wait. Read you emails. Learn your syntax and relationships. Then the criminals can leverage your account to spoof and/or phish some of your contacts (more on phishing below). 

A good way to prevent that example of spoofing is to pay attention to browser security and a website's SSL certificate. For more information on that, check out our browser safety tips blog. 


Phishing is related to spoofing pretty closely. Let's use the example from above and say the person whose log in was compromised is an executive. A version of this could include the executive sending a misleading link. You may think it's a google doc, but really it's a link to ransomware or password stealing software. 

Unfortunately there isn't a definitive way to combat phishing other than awareness. Make sure employers and employees are cautious of strange requests or emails that feel 'off'. If it involves money or sensitive data transfers, make sure to use two step verification. Bottom line is always think before you click.