Protect Your Passwords From Hackers

Take these steps to keep your accounts safe

Hacking into online accounts is easier than most people realize, and hackers go about it in a few different ways. Sometimes, they use a well-known method called phishing. Some hackers guess passwords or use a password reset tool to create a new password without the account owner's knowledge and consent. The best way to protect your password from thieves is to understand how they steal passwords, then shore up your practices.

How Hackers Steal Passwords

Hackers frequently steal passwords using a technique called phishing, in which the hacker sends an official-looking email that directs the recipient to a fake website or form. Enter a password on the fake site, and the hacker grabs the password.

For example, a hacker might send an email that says your bank account password is too weak and needs to be reset. Such an email would then direct you to click a link to a fraudulent website that looks like the site it's mimicking. When you click the link and land on the page, the hacker hopes you'll enter your email address and password, without suspecting anything is amiss.

When data is entered into the form, the hacker gets an email that contains account information and a password — along with full access to the bank account. A hacker could then log in using these credentials, see bank transactions, move money around, and maybe write online checks.

A hacker can also gain access to an account by using the website's password reset tool. This tool is meant to help you remember your password. If a hacker knows the answers to the account's secret questions, they can reset the password, then log in to the account with the new password.

Don't answer fun Facebook memes where people post information about themselves and see how they compare to their friends. Some of those questions are common account-recovery security questions. This type of social-engineering meme prompts users to hand over critical information in a public way, making it trivial to circumvent password-recovery tools even if the hacker doesn't have your password.

The same concept applies to any website that uses a login, such as an email provider, a credit card company, or a social media website. If a hacker steals an online backup service password, for example, they can see every file backed up in an account, download these files to their computer, and view the account owner's private documents, pictures, and other digital papers.

Another method to hack an account is to guess the password. If a password is based on personal details (for example, a birthday, address, or phone number) or a simple phrase, a hacker can get right in without you even knowing.

Spotting a Hack Job

Each time you get an email about resetting your password, check the sender's email address to make sure the domain name is real. It usually looks like For example, typically would indicate that you're getting the email from Hackers can spoof email addresses very easily, though — meaning they can fake the sending address.

To see the actual sending address, view the email source code — the original contents that are behind the message you see. In Gmail, click the menu in the upper-right corner of any message (the three vertical dots), then select Show original.

Show original email option in Gmail

You'll see the actual sending address in the From field.

From field in email headers

What to Do

Your best defense against password phishing is to never click a link in an email message unless you know for certain that it's valid. Know what your banking sites look like, so you can spot fakes. If you know what to look for and are suspicious each time you enter your password online, you'll go a long way in preventing successful phishing attempts. You can take a few other precautions, too.

Check the Link in the Search Bar

When you open a link in an email, check that the web browser resolves the link properly. If, say, a link changes to, in the browser's address bar, exit the page immediately.

Look for HTTPS

Check that the first letters in the URL are https. The s indicates that it's a secure site. Never enter any financial details at a site that is not secure.

https on Facebook
KTSDESIGN / Getty Images

Take the Direct Route

If you get an email with a suspicious link, type the website URL directly into the navigation bar, rather than clicking the link.

Take Advantage of Security Options

Set up two-factor (or two-step) authentication if the website supports it so that, each time you log in, you need both the password and a code that you receive on a different device. You'll receive the code through email or phone, so the hacker would need both your password and access to your email account or phone.

If the site supports it, use hardware tokens (such as a Yubikey) or an authenticator app such as Google Authenticator or Microsoft Authenticator. Two-factor authentication is better than one-factor authentication. When possible, avoid receiving challenge codes by text message.

Choose Difficult Questions

Choose complex questions for password reset security checks, or avoid answering them truthfully so guessing would be nearly impossible for a hacker. For example, if one of the questions is "In what town was my first job?" answer it with a password of sorts, such as topekaKSt0wn or even something completely unrelated and random, like UJTwUf9e.

Use a Secure Password and Password Manager

Many people have simple passwords. Change those if you have them. Include capital letters, numbers, and special characters such a punctuation marks. If you have a very strong, secure password, you probably won't remember it off the top of your head (which is good). Use a free password manager to keep your passwords where you can access them securely. The Google Chrome browser has a secure password manager built-in.

Chrome settings > Passwords

Trust and Verify

Store sensitive information, such as credit card and bank details, only in online accounts hosted by companies you trust.

Use Secure Payment Methods

For online purchases, consider using PayPal (which offers additional layers of protection). Another solution is to use a temporary or reloadable card so there's no balance a hacker can access.