Geslar
How hackers steal passwords — 7 methods
Understand the threats to protect yourself. These are the most common methods attackers use — and how to defend against each one.
Alarming context
81%
Of breached accounts used a weak or stolen password (Verizon DBIR 2024)
10 bln
Stolen passwords published in a single leak "RockYou2024" in July 2024
< 1 sec
How long it takes to crack the password "123456" with a modern GPU
1,513
Reported cyber incidents in Croatia in 2025 (CERT.hr)
1. Brute Force attack
How it works
The attacker uses software that automatically tries all possible character combinations until it guesses your password. Modern GPUs can test billions of combinations per second. Short passwords (up to 8 characters) fall in seconds or minutes.
How to protect yourself
Use passwords of at least 16 characters or passphrases of 4+ words. Geslar generates passphrases from Croatian dictionaries that are resistant to brute force because they combine length and unpredictability.
Example: The password "Marko2024" has about 35 bits of entropy — it would fall in less than a minute. A Geslar passphrase "livada-oblak-čokolada-kesten" has 72+ bits — it would take 300+ years.
2. Phishing
How it works
You receive an email, SMS, or message that looks like it comes from your bank, Facebook, or Google. You click a link that leads to a fake page identical to the real one. You enter your credentials — and they end up with the attacker. 32% of all cyber attacks in Croatia are phishing (CERT.hr 2025).
How to protect yourself
Never click links from unexpected messages. Always check the URL in the address bar. Enable 2FA on all accounts — even if an attacker gets your password, they can't get in without the second factor. Geslar Authenticator generates TOTP codes locally.
Red flags: Urgency ("Your account will be blocked!"), grammatical errors, suspicious links (goog1e.com instead of google.com), requests for personal data via email.
3. Credential Stuffing
How it works
Hackers take email + password pairs from previous data breaches and automatically try them on hundreds of other services. If you use the same password across multiple sites, one breach compromises all your accounts. Bots test thousands of combinations per second.
How to protect yourself
Never use the same password on two services. Use a password manager that generates a unique password for every account. Geslar does this automatically — every password is completely independent and random.
Check if you're affected: Use the Geslar security check to check your password and email. If it appears in a breach — immediately change the password on that service and everywhere else you've used it.
4. Keyloggers
How it works
Malware installs on your computer and records every keystroke. Everything you type — passwords, card numbers, private messages — is sent to the attacker. Keyloggers often spread through pirated software, fake updates, or infected USB drives.
How to protect yourself
Use an up-to-date antivirus. Don't install software from unverified sources. Use a password manager with an autofill function — the Geslar browser extension fills in passwords without typing, so a keylogger has nothing to record.
5. Rainbow Table attack
How it works
The attacker uses a precomputed table that maps hashes (encrypted versions of passwords) to original passwords. If a service hashes passwords poorly (without "salt"), the attacker can almost instantly find your password in the table.
How to protect yourself
Use long, random passwords that don't exist in dictionaries. Geslar uses PBKDF2 with 600,000 iterations and a salt for every vault — even if someone gets the hash, it would take them an extremely long time to crack it.
6. Social Engineering
How it works
The attacker manipulates you into revealing your password. They pretend to be IT support, a colleague, or a boss. "I need your password to fix something on the server" or "Send me the access credentials, it's urgent." It works because it targets human psychology — trust, authority, and urgency.
How to protect yourself
Never give your password to anyone — no legitimate service will ever ask for your password by phone or email. If you need to share access, use Geslar Secure Send — an encrypted link with a PIN and automatic expiration.
7. Man-in-the-Middle (MitM)
How it works
The attacker inserts themselves between you and the server, usually on public Wi-Fi (cafe, airport, hotel). They intercept traffic and read everything you send — including passwords. Especially dangerous on unencrypted networks or with fake access points.
How to protect yourself
Avoid logging into sensitive accounts on public Wi-Fi. Make sure the URL starts with https://. Use a VPN for additional protection. Geslar works completely locally — your passwords never travel over the internet.
Protect yourself
Hackers have an arsenal of tools, but you have the power to make their job nearly impossible. Here's a summary:
A unique password for every service
One breach should not compromise all your accounts. A password manager solves this automatically.
2FA on everything
Two-factor authentication is your second line of defense. Even if an attacker gets your password, they can't get in without the second factor.
Skepticism toward messages
Every unexpected request for a password or personal data is suspicious — no matter how legitimate it looks.
Geslar — the free password manager that protects against all 7 threats.