Those Who Can’t Do, Teach Steal

A password is private and confidential piece of data. It has the ability to protect sensitive personal and business information. A simple set of characters can be the sole gatekeeper to all of your financial and private information. Because of this, attackers continuously target passwords in hopes of gaining access to data, and often use the t following  techniques:

Brute Force

Brute force involves using an automated program that can guess passwords very quickly. This program may use several different techniques, including:

  • Using a dictionary of common words
  • Using a list of the most common passwords
  • Failing other techniques’ attempt combinations of letters and numbers

This technique needs to generate many guesses in a short amount of time, so a simple account lockout or delay can render this method ineffective.

Guessing Game

Since account lockouts are generally tracked for each account separately, a variation of this technique is to guess the most common passwords against a list of accounts to avoid triggering the account lockout safety mechanism.

Research has shown that the top 5 passwords most commonly used on the Internet are:

  • 123456
  • 12345
  • 12345678
  • password
  • iloveyou

Passwords comprised of simple words, names, places, numbers, and even combinations (such as ‘abc123’) are trivial to guess. The best way to prevent these attacks is to follow best practices for creating strong passwords (it almost seems that we should list these best practices, or link to another blog or resource that does).

Being Sneaky

One of the oldest and simplest methods for someone to get your password is to simply steal it by

  • Watching over your shoulder as you type it
  • Finding a sticky note hidden under the keyboard (or worse, right on the monitor!)
  • Viewing it in a text file on the computer when you step away for a coffee break

Believe it or not, hackers can steal your password because, for whatever reason, you directly told it to them at some point in time.


Another method for an attacker to get your password is through the compromise of a third party system, such as an online forum or retailer. Be warned, if an attacker accomplishes this feat, the chances of reversing the process and protecting your information are minimal. However, by following password best practices such as not reusing passwords for multiple systems, you can minimize the damage that can be done.

Remember, a password is private and confidential personal data, and should be treated and protected as such.

Want to learn more about password security and other security awareness topics?

Take a look at our PCI-Essentials course at

PCI Essentials comprises 10 highly interactive modules, each focusing on a specific area of cardholder and information security. The training is designed to address all of the security awareness topics needed for compliance with the training requirements of PCI DSS.