Skip to main content

How passwords are hacked and what fraudsters do with them

By Diane Amato

Published February 15, 2024 • 4 Min Read

You’ve likely heard the importance of creating a strong password and keeping it safe from hackers. But what happens when your passwords have been compromised?

Whenever we are asked to create a new password – whether it’s for a shopping site, a new social media account or a financial institution – we are reminded to create strong, hard-to-guess passwords and to keep them confidential. While there is a great deal of guidance out there for creating and maintaining strong password habits, we don’t always know the risks of ignoring these guidelines. What could go wrong with a hacked password? And how likely is it that your password will be hacked, anyway?

We shed some light here.

How hackers steal passwords

Some of the most common passwords in the world are: 123456, password, qwerty and guest. So, if your password isn’t among these popular, easy-to-guess options, you’re fine, right? Not so fast. There are a number of ways hackers can steal passwords beyond attacking this low-hanging fruit.

Data breaches

According to data from the Identity Theft Resource Centre, there were 2,116 data breaches in 2023, up from 1,802 in 2022. That translates to 233.9 people affected by data breaches. These breaches can expose usernames and passwords, as well as other personally identifiable information, such as health information, social security/ social insurance numbers and credit card numbers.

Password cracking

Using software and bots, hackers can guess passwords over and over until a match is found. Using this technique, it’s easiest for hackers to guess words that are found in the dictionary, as well as shorter passwords. For instance, an eight-character password can be hacked in about eight hours.


If a hacker has information about you – such as your birthday, your pet’s name, your mother’s maiden name – and you use those details in your password, it’s easier for them to guess your password. Hackers can also try some of those common passwords listed above to try to guess yours.

Physical theft

By looking over your shoulder – such as in a co-working space or a coffee shop – a hacker can see your password as you type it in on your screen. When entering a password in a public space, be sure to use the “hide password” feature so it’s not visible.


Keylogger is a common type of malware that, when downloaded onto your device, will record your keystrokes. They will then use this information to steal your credentials or any other sensitive information you might type on your computer’s keyboard.


In a common phishing attack, a hacker pretends to be a legitimate company and requests sensitive information to perform an action that is important to you – such as unlocking funds or releasing a delivery. Often, they request a username and password.

What happens when your password has been hacked?

When your password is hacked, one of two things commonly happen. Either the cybercriminal will use it to commit additional crimes, or they will sell the password on the dark web to other fraudsters.

Today, there are approximately 24 billion usernames and password combinations in circulation in cybercriminal marketplaces, demonstrating clear demand for credentials. Here, cybercriminals can make illegal transactions while keeping their identities secret.

How to know if you have been hacked

In some cases, you may find out right away if your password has been compromised. In others, it could take some time before you realize it.  Here are some warning signs that may indicate you’ve been hacked:

  • Friends or family receive messages or emails form your account that you didn’t send

  • Your passwords stop working – a cybercriminal may change your password to lock you out

  • Fraudulent transactions – such as purchases made from your accounts that you didn’t make

  • Notifications – companies may send out a security alert if their systems were breached and your data was a part of it

  • Your data is detected on the dark web – there are dark web monitoring programs that can automatically scan for your data

How to protect your passwords

To keep your passwords out of the hands of fraudsters, follow these three tips for easy password protection. If you find out that your password has been compromised, be sure to immediately change it. Always remember to create strong passwords, stay alert to phishing attempts and be aware of your surroundings when entering passwords in a public place.

Looking for more great tips? Our Cyber Security Playbook, The Vault, is packed with great tips for making your passwords stronger and harder to crack. And it has more helpful steps and information to boost your cyber skills.

This article is intended as general information only and is not to be relied upon as constituting legal, financial or other professional advice. A professional advisor should be consulted regarding your specific situation. Information presented is believed to be factual and up-to-date but we do not guarantee its accuracy and it should not be regarded as a complete analysis of the subjects discussed. All expressions of opinion reflect the judgment of the authors as of the date of publication and are subject to change. No endorsement of any third parties or their advice, opinions, information, products or services is expressly given or implied by Royal Bank of Canada or any of its affiliates.

Share This Article


Cyber Security