Let’s be clear—I’m not a hacker. But if I were, I wouldn’t need elite skills or dark web access to get your password. All I’d need is a bit of social engineering, a few common tools, and a basic understanding of human nature. Because truthfully, most people don’t make it that hard.
In this blog, I’m going to walk you through how your password could be compromised—not through some Hollywood-style heist, but through everyday mistakes. The goal? To help you understand how attackers think, so you can stop making their lives easy.
Step 1: I’d Start with Your Email Address
If I’m trying to steal your password, the first thing I need is your login—usually your email address. And guess what? It’s probably already out there.
Most people use the same email for years—and during that time, it ends up in hundreds of places: social media, online stores, newsletters, old accounts, job boards. And even if you’re careful, your email might’ve been exposed in a data breach without your knowledge.
That’s where a tool like Have I Been Pwned comes in. It’s a free online service that lets you check whether your email address has appeared in known data breaches. If it has, that means it’s already floating around the internet—along with any exposed passwords that may have been attached to it.
For me, as an attacker, it’s a goldmine. I can take your email, plug it into breach databases or automated tools, and instantly find out which of your accounts may already be compromised.
Once I have your email, the next step is simple: find out where you use it.
Step 2: I’d Try the Usual Passwords
Let’s start with the classics: password123, qwerty, 123456, or your pet’s name (especially if you’ve ever posted about “Fluffy” online). You’d be surprised how many people still use these weak, common passwords—often across multiple accounts.
Why? Because password psychology is rooted in convenience. People want passwords they can remember, so they turn to things that feel familiar: names, dates, hobbies, or keyboard patterns. It’s easier to remember your favourite football team and the year you graduated than a string of random characters.
Even when people try to be clever, they usually follow predictable patterns. Summer2023 becomes Autumn2023, then Winter2024. And many rely on substitutions they think are secure—like @ for a, 1 for I, 0 for o, and adding a ! at the end. But guess what? Those tricks are built into every password-cracking tool I’d use. A password like P@ssw0rd! looks complex, but to me, it might as well be password.
Once I find a password that works—maybe from a past data breach—I’ll try it across dozens of websites: email, Netflix, online shopping, social media. That’s called credential stuffing, and I can automate it with bots. If you reuse passwords (and most people do), I’ve probably just unlocked multiple doors with a single key.
Step 3: I’d Send You a Fake Email
Let’s say your password isn’t on a list. No problem—I’ll just ask you for it. And here’s where psychology is my best friend.
Most people are more trusting than they realise. If an email looks official and urgent, they don’t stop to question it. Especially if it appears to come from someone they trust—like their manager, bank, or favourite online service.
Here’s an example:
Subject: Urgent: Unusual Login Activity on Your Account
Hi [Your Name],
We’ve detected suspicious activity on your account from an unrecognised device. For your security, please log in to verify your identity:
[Verify Your Account Now]
If no action is taken within 24 hours, access to your account may be temporarily restricted.
—The Security Team
That button? It goes to a fake login page that looks exactly like the real one. You enter your email and password, and I collect it instantly.
I don’t need to break in. I just need to make you believe I’m helping protect you.
Step 4: I’d Create a Fake Wi-Fi Network
If phishing doesn’t work, maybe you’ll help me out in person—without realising it.
I bring a laptop or small portable device to your local café and set up a rogue Wi-Fi hotspot with a name like “CoffeeShop_Guest” or “Free_Coffee_WiFi.” My signal is stronger than the legitimate one, so your device either auto-connects or you pick mine without a second thought.
Once you’re connected, I can monitor your traffic. If you visit a site that doesn’t enforce proper encryption, I can intercept your login details or inject a fake login screen to grab your credentials.
I could even do this with a Flipper Zero. It’s discreet, portable, and perfect for creating rogue networks in public spaces. I’ve covered this tool in detail in a previous blog, so I won’t go too deep here—but let’s just say you wouldn’t know it wasn’t the real network.
It feels seamless to you. But I’m sitting just a few metres away, quietly collecting everything I need to access your digital life.
This isn’t some high-stakes cyber-heist. It’s low-effort, high-impact opportunism—driven by psychology and just enough technical know-how.
Step 5: I’d Try to Guess It Based on You
If all else fails, I’ll go back to basics—and social media is where I’ll start.
I’ll scroll through your public profiles, picking up details you’ve probably never thought twice about sharing: your dog’s name, your child’s birthday, the year you got married, your hometown, your favourite football team, or your go-to holiday destination. These are the exact kinds of things people use in passwords—and also the answers to security questions.
Think about it: if your bank’s password reset process asks, “What’s your first pet’s name?” or “What’s your mother’s maiden name?”, there’s a good chance I can find that information—or make an educated guess—just by looking at your posts, comments, and old profile updates.
Even if I can’t guess your password directly, I might be able to trigger a password reset. If I know your email and enough personal details to answer your security questions, I could take over your account without ever needing to crack a thing.
In short, the more you share, the easier you make it for someone like me to connect the dots. Oversharing online doesn’t just risk embarrassment—it can be the missing link in a full-blown cyber attack. If you use something personal—and many people do—it’s just a matter of time.
Step 6: I’d Use Brute Force
Let’s say none of the easier tricks work. Your password isn’t on a leaked list, you didn’t click my phishing link, and your Wi-Fi habits are solid. My last resort? I’d let a machine do the hard work.
Brute force attacks involve using software that tries thousands—even millions—of password combinations until one finally works. It sounds time-consuming, but with modern processing power and cloud-based tools, it can be surprisingly fast—especially if your password is short or based on dictionary words.
If your password is something like “Welcome1” or “BookLover2023,” it’s probably crackable within minutes. Tools like Hashcat and RockYou wordlists make this process even more efficient.
That’s why long, complex passwords matter so much. The longer and more random your password is, the harder it becomes to brute-force. Adding just a few extra characters can mean the difference between your account being safe or wide open.
So How Do You Stop Me?
Let’s flip the script. Here’s how to make your password virtually uncrackable:
🔹 Turn on two-factor authentication (2FA) so even if someone gets your password, they can’t log in.
🔹 Don’t reuse passwords—especially for email, banking, or business logins.
🔹 Be suspicious of emails that ask you to log in, click links, or reset passwords.
🔹 Avoid public Wi-Fi for anything sensitive unless you’re using a VPN.
🔹 Stop using personal info in passwords. Birthdays, names, and football teams are too easy to guess.
Awareness Is Your First Line of Defence
You don’t need to become a cybersecurity expert. But you do need to think like an attacker.
At Cyber Rebels, we run live, human-first cybersecurity awareness training that shows teams exactly how hackers exploit everyday habits—and how to break them. From phishing simulations to password best practices, we help you stay one step ahead.
💡 Ready to outsmart the attackers? Book a session with Cyber Rebels and build habits that protect your people, your data, and your business.
Director of Training and Development, Cyber Rebels.
Andy Longhurst is the founder of Cyber Rebels and a cybersecurity practitioner and educator focused on how risk actually shows up in real organisations. His work sits at the intersection of digital safety, education, and practical risk management — helping teams understand not just what policies say, but what happens in the moments where decisions are made under pressure.
With a background spanning adult education, web development, and technical consultancy, Andy specialises in translating complex security concepts into clear, usable understanding. Rather than focusing solely on tools or compliance frameworks, his approach centres on human behaviour, judgement, and the systems that shape everyday choices.
He delivers live, interactive cyber awareness training for organisations of all sizes, from small businesses and education providers to public-sector teams and larger organisations operating in complex risk environments.
Outside of delivery, Andy spends his time analysing emerging attack patterns, refining training design, and exploring how organisations can build resilience that holds up in the real world — usually with a strategically sized cup of tea close to hand.
