According to research by Thycotic, the number of passwords in the cyberspace will grow to 300 billion by the year 2020. And as the number of passwords increases, organizations all over the world will face major cybersecurity risks.

In 2016, over 3 billion passwords and user credentials were stolen, which means on an average, 95 credentials were stolen every second.

Why Do Passwords Get Hacked?

The government of the United Kingdom ran a security awareness campaign in 2014 and the results showed that an average person had to remember 19 passwords. And yet, the data from 2016 showed that only 35 percent of people used strong passwords that consisted of three or more words.

Since netizens have a lazy attitude towards internet security, hacking cases have continued to grow and breaches occur almost every other day.

Social Media Enhances the Risk Factor

According to experts from Thycotic, cybercrime risks are elevated due to people’s dependence on social media platforms. People don’t like remembering several passwords so they just use one social media logon that links several different accounts.

These accounts share user data without user knowledge. Thus, the already risky cyber world becomes even riskier with social media.

To make matters worse, many users haven’t activated multi-factor authentication on their social media profiles. And many of them use reused or weak passwords, which puts them into an even bigger risk of being hacked.

Surprising Ways to Steal Passwords

We often assume that hackers would need a lot of information about us to steal our password and this is why we don’t take cybersecurity seriously.

The truth is that hackers can decipher passwords and PINs just by seeing how we tilt the phone when typing in our credentials.

Hackers Might Want to Monitor the Way You Tilt Your Phone

According to cyber specialists at Newcastle University, malicious websites and apps can use a simple JavaScript to spy on users. This JavaScript gets information by motion sensors in the device and deciphers the login information.

This is done by examining the device movement as the information is typed in. It’s possible to crack 4-digit PIN codes with an accuracy of 70% on the first guess. By the fifth guess, this accuracy reaches 100%.

lifetime vpn

How this JavaScript Works

An experiment was held where a JavaScript code was used to reveal user PINs. A JavaScript called PINlogger.js was used on Android phones.

In this experiment, as a user visited a website run by the attacker, the code embedded in the website started monitoring the orientation and motions sensor streams. And this doesn’t require user permission. These streams were analyzed and passed through an artificial neural network.

Dr. Maryam Mehrnezhad, the lead author of the paper, explains that most tablets, smartphones, and smart wearables some with a number of sensors. Some well-known sensors are GPS, mic, and camera. And then there are others like NFC, gyroscope, accelerometer, and proximity and rotation sensors.

But since websites and apps don’t need to ask permission to use many of these sensors, malicious entities can secretly read your sensor data and obtain sensitive information about you. This could include physical activities, call timing, touch actions, and passwords.

The most worrying part is that some mobile browsers allow malicious websites to use this code to spy on other apps that are open. So if your bank account app is open on your phone and meanwhile you visit a malicious website on a browser, the website can spy on the details you enter.

The study revealed that each user action (including scrolling, clicking, tapping, and holding) generates a unique motion trace. So when the user was on a webpage, the team could find out the part of the page the user was on.

According to Dr. Siamak Shahandashti, a co-author of the research paper, it’s like a jigsaw puzzle. The more sensors you spy on, the easier it becomes to put the pieces together.

Whether a user holds the phone in one hand and types with their thumb or holds with one and types with the other hand, the device tilts in certain ways when users type. And with these motions, it’s easy to recognize patterns.

The researchers warned the major browser corporations like Google and Mozilla about this issue. Mozilla partially fixed the issue in Firefox version 46.

Apple acted on it by stopping the accessibility of device motion and device orientation data for iPhone 4s and later models.

Another Study Finds that Hackers Can Use Brainwaves to Steal Data

A study conducted by the University of Alabama suggests that hackers can hack brainwaves to steal information. The findings suggested that electroencephalograph (EEG) headsets that sense brainwaves require better security as hackers could guess passwords by monitoring their data.

EEG technology is used in medical science as it’s a noninvasive way of recording brain electrical activity.

Once highly expensive, this technology is now used for scientific research to help disabled people control their prosthetic limbs. It is also available in the market as a gaming headset.

EEG headsets are often used in gaming for controlling robotic toys. They cost between $150 and $800 and are sold by quite a few brands.

The study found that if a person logged into their bank account while wearing the headset, their password can be stolen.

How an attack can be planned

To plan a real-world attack, the hacker can ask the user to enter a set of characters to restart a game after pausing – like a Captcha image.

The hacker can monitor the brain waves as the user enters each character. After about 200 characters, the hacker can take an educated guess about the characters a user will enter corresponding to the brain waves generated.

So if you wear a headset and enter a 4-digit PIN to log into your bank account, it can easily be stolen.

Facebook wants a share of your brainwaves

In 2017, Facebook started a new project to read the brainwaves of its users. The project is aimed at letting people type words directly from their brains without having to use their hands.

While this project might be useful for physically challenged people, it has raised concerns among privacy advocates.

Facebook says that this system will share only the information that you have decided to share, so your private data will remain private. Instead of calling or texting a friend, you can directly send them brainwaves to let them know you’re thinking about them.

While Facebook promises that only some parts of your thoughts will be shared, the fact is that they may be able to read all your thoughts. And as Facebook is already notorious for its data monitoring practices, it won’t be wise to share your thoughts with it.

Regular Hacking Methods

Apart from these terrifying ways of stealing passwords, there are some traditional and more common methods as well. Let’s discuss some of these.

Dictionary attack

The dictionary attack uses a file that consists of all the words found in a dictionary. The password cracker tries all these words and their combinations to log into your account. So if you have simply combined two words like “strongpassword”, it can be cracked. Sure, it will take a few extra seconds to figure out the two words but the password will certainly be cracked.

Brute force attack

The brute force attack is similar to the dictionary attack except that it lets the hacker crack non-dictionary words as well. It works on alphanumeric combinations. So if your password is 2aaa, it can be detected. If you use a long password with a number of alphanumeric combinations, it might take millions of years to crack it, which isn’t feasible for the hacker.

Good ol’ phishing

Phishing is the simplest of them all and yet very effective. You don’t have to be a hacker to phish for someone’s details. A phishing email can make unsuspecting users reveal their details to the hacker.

If you get an email from your bank and you need to log into your account, make sure you don’t use the link given in the email. Instead, type the address in the address bar to open it. This is because the hackers might have set up a fake page to lure you.

Phishing doesn’t need a lot of hacking tools. It basically makes use of the gullibility of the victim. So make sure you exercise caution before clicking on a link.

WiFi Traffic Monitoring Attacks

If you use public WiFi networks and then log into your accounts, your passwords may get hacked. The WiFi you use might be monitored by hackers. And it’s not a difficult thing to do. In fact, apps to monitor Wi-Fi networks are pretty easily available.

So anyone who wants to know about your online activities can monitor the public Wi-Fi network you’re connected to.

Worse still, the Wi-Fi network might have been set up by hackers. You might think the network of your local café is secure but hackers might create a network with a similar name, trying to dupe people into connecting with their fake network instead.

If you want to stay safe from hackers when you access a public network, you should use a reliable VPN. A VPN will encrypt your traffic so the hacker will not be able to read the data. Here’s how you can use a VPN to stay safe on a public Wi-Fi.


If You Can’t Trust Passwords, What Are the Alternatives?

In the last few years, we have seen that passwords are not enough to protect user privacy. As the number of accounts grows, people have to remember a lot of passwords, which is why they tend to reuse them. This creates security flaws.

This is why it’s important to replace the password-based security paradigm. Researchers keep coming up with new ways to replace passwords and some of these methods are discussed below.


This is an authentication method made for mobile devices and it uses semantically linked images. This method offers a graphical interface to the user and the touch screen of the mobile device makes it easy for the user to interact with these images.

Users have to drag and drop some image tokens in their right positions to gain entry to the account. Graphic passwords are intuitive and simpler to use because images and shapes are easier to remember than text and numbers.


Trusona has a device-centric multi-factor authentication technique that lets the users register by scanning their ID proofs. It uses up to four factors for authentication including biometrics, ID proof scanning, and hardware tokens, etc.


This is an identity based authentication tool that uses biometric features to allow employees to access their work accounts without the need for traditional passwords.

NoPassword will ask the users to scan their fingerprints or give other biometric information. Once it is verified, an encrypted signature will be generated that will sync to the mobile data of the user.

And once the signature is established, the employee’s work account will be opened. The biometric data is not kept by the company and is stored locally on users’ phones.

Is There Something I Can Do?

For now, we have to work with traditional passwords until a better security mechanism starts gaining acceptance. To be safe:

  • Make sure you change your passwords regularly
  • Try to use a combination of alphanumeric characters as passwords
  • Since it’s difficult to remember passwords, you can use a password manager to make things easier for you
  • Make sure you activate two-factor or multi-factor authentication on all your accounts to add an extra layer of safety

Secure your digital life with Surfshark

Only $1.99/mo. 30-day money-back guarantee with every plan