How to Protect Your Passwords From Getting Stolen

Take these steps to keep your accounts safe

Laptop Use


Unfortunately, hacking into online accounts is easier than most people realize, and hackers go about it in a few different ways. Sometimes, they use a well-known method calling phishing. Some hackers guess passwords outright or use a password reset tool to create a new password without your knowledge and consent. The best way to learn how to protect your password from thieves is to understand how they steal passwords.

How Hackers Steal Passwords

Hackers frequently steal passwords using a technique called phishing, in which the hacker sends you an official-looking email that directs you to a fake website or form. You enter a password on the fake site, and the hacker grabs the password.

For example, a hacker might send you an email that says your bank account password is too weak and needs to be reset. Such an email would then direct you to click a link to a fraudulent website that can look remarkably like the site it's mimicking.

When you click the link and land on the page, you enter your email address and password, probably without ever suspecting anything is amiss. When you enter the data into the form, the hacker gets an email that contains your account info and password — along with full access to your bank account. A hacker could then log in using your credentials, see your bank transactions, move money around, and maybe even write online checks.

The same concept applies to any website that uses a login, such as an email provider, credit card company, social media website, etc. If a hacker steals your online backup service password, for example, she then can see every file backed up and download them to her own computer, read your private documents, view pictures, etc.

A hacker can also gain access to an account by using the website's password reset tool. This tool is meant to help you remember your password — but if a hacker knows the answers to your secret questions, he can reset the password and then log in to your account with the new password he created.

Yet another method to hack someone's account is to simply guess the password. If your password is based on personal details (for example, a birthday, address, or phone number) or a simple phrase, a hacker can get right in without you even knowing.

Spotting a Hack Job

Each time you get an email about resetting your password, check the sender's email address to make sure the domain name is real. It usually looks like "" For example, "" typically would indicate that you're getting the email from Hackers can spoof email addresses very easily, though — meaning they can fake the sending address.

To see the actual sending address, view the email's source code — the original contents that are behind the message you see. In Gmail, click the menu at the top right of any message (the three vertical dots), then Show original.

Gmail message

You'll see the actual sending address in the From field.

Original message view in Gmail

What to Do

Your best defense against password phishing is never clicking on a link in an email message unless you know for certain that it's valid. Know what your banking sites look like, so you can spot fakes. If you know what to look for and are suspicious by default each time you enter your password online, you'll go a long way in preventing successful phishing attempts. You can take a few other precautions, too.

Check the link in the search bar

When you open a link in an email, check that the web browser resolves the link properly. If, say, a link changes to, in the browser's address bar, exit the page immediately.

Look for https

Check that the first letters in the URL are https. The s indicates that it's a secure site; never enter any financial details at a site that is not secure.

https en Facebook
KTSDESIGN / Getty Images

Take the direct route

If you get an email with a suspicious link, type the website URL directly into the navigation bar, rather than clicking the link.

Take advantage of security options

Set up two-factor (or two-step) authentication if the website supports it so that, each time you log in, you need both your password and a code that you receive on a different device. You'll receive the code via your email or your phone, so the hacker would need both your password and access to your email account or phone.

Choose difficult questions

Choose complex questions for password reset security checks, or simply avoid answering them truthfully so guessing would be nearly impossible for a hacker. For example, if one of the questions is "In what town was my first job?", answer it with a password of sorts, such as topekaKSt0wn or even something completely unrelated and random, like UJTwUf9e.

Use a secure password and password manager

This sounds obvious, but you'd be surprised at how many people have very simple passwords. Change those if you have them. Include capital letters, numbers, and special characters such a punctuation marks. If you have a very strong, secure password, you probably won't remember it off the top of your head (which is good); use a free password manager to keep all your passwords where you can access them securely. Google's Chrome browser has a secure password manager built right in.

Chrome settings > Passwords

Trust and verify

Store sensitive information, such as credit card and bank details, only within online accounts hosted by companies you trust.

Use secure payment methods

For online purchases, consider using PayPal (which offers additional layers of protection). Another solution: Use a temporary or reloadable card so there's no balance a hacker can access.