Security awareness

3 surprising ways your password could be hacked

Dan Virgillito
February 16, 2021 by
Dan Virgillito

Many people are familiar with the basic threats to their passwords: social engineering, password guessing and so on. But there are other surprising ways hackers could obtain your password information, some of which involve routine, seemingly harmless activities. 

If your password is compromised, adversaries can use it for credential stuffing, where they feed it into other online websites to gain access to multiple accounts. As 72% of people reuse passwords in their personal life, it’s almost guaranteed that some compromised passwords will work when hackers use them on other websites. 

Reducing the risk of password theft starts with learning how hackers can gain control of your passwords. Here are some new attack vectors you should be mindful of.

Two year's worth of NIST-aligned training

Two year's worth of NIST-aligned training

Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.

1. Watching your shoulder movements during video conferencing

Adversaries can find out what a person is typing in video conferencing chats through tiny visual cues, researchers at the University of Texas have claimed. The statement comes after a team of researchers figured out what a user typed with 75 percent accuracy by noticing how their shoulders and upper arms moved during a Zoom video call. 

Essentially, the research team analyzed the subtle pixel shifts around the user’s shoulder to identify the four main directions he was moving (North, South, East and West). This allowed them to know what direction the user is moving to enter their password. With that information, the researchers were able to develop software that cross-references these movements with dictionary-word profiles to identify the entered password.

This is a concerning development for most people, as we have come to rely on video conferencing platforms like Skype, Zoom, Google Meet and more during the lockdown period. Attending video meetings could mean leaving yourself vulnerable to keystroke interference attacks that may result in the theft of online banking passwords, email credentials and other sensitive data.

2. Hacking Windows passwords through your wallpaper

Wallpapers and themes might seem innocent, but they can serve as a gateway for hackers to steal your passwords. Last year in September, a security researcher named Bohops shared a password harvesting trick that leverages Windows theme files — although it relies on phishing for passwords rather than injecting malware into the files.

Bohops set a Windows wallpaper location to a file based in a remote location to abuse it for phishing. He revealed that pointing files to external locations like a password-protected HTTP page instead of a locally present image makes them vulnerable to phishing attacks. The reason being the password-protected site with the HTTP Basic Access Authentication would naturally ask the person to enter the password to that site before letting them access the wallpaper. 

The trick is effective because if a user enters the web URL of a Windows theme or wallpaper hosted on a password-protected website, they’re prompted to enter their username and password in the same fashion as the HTTP page. Therefore, users are most likely to proceed, which means hackers could point theme files to a website they control and collect passwords without much effort.

3. Cracking Wi-Fi (WP2A) passwords with new tools

WPA2 is a password-protected protocol that offers a secured, encrypted connection over a WiFi network. The old way of cracking WPA2 required a hacker to disconnect an authorized device from the access point they wanted to crack. The technique was noisy and required adversaries to send packets that forcibly disconnect a connected user from the network. This type of unauthorized interference increased the risk of being detected.

Now, hackers don’t need to intercept two-way communications to try and crack passwords, as a new technique called Hashcat allows them to communicate directly with a vulnerable access point. The method involves using a Kali Linux-compatible wireless network adapter and a set of wireless attack tools called hcxtool

The tools allow adversaries to interact with nearby Wi-Fi access points to capture PKMID and WPA hashes. Once captured, they can load the hashed list on the adapter to attempt a brute-force crack using a dictionary, mask and other password guessing techniques. Hence, Hashcat offers a safe route to hackers trying to steal passwords through Wi-Fi.

However, success depends on whether the target passwords are present in the derived password list and the strength of those passwords.

How to protect against new threats

Fortunately, there are ways to thwart password thieves and achieve cyber resilience against the new threats. 

To prevent shoulder-surfing over Zoom, you could go close up to the camera so that the screen displays your head only or grow your hair very long. Additionally, you could make significant movements while typing to defend yourself from the attack. However, the first two measures are better if you’re having professional meetings via video conferencing.

For defending against Windows wallpaper hacks, the best course of action is to read password prompts carefully. The dialog box text can indicate that the password request is from a remote website rather than Microsoft’s official website. The login message, too, should be reviewed as it would surface from the authenticated site rather than the operating system. These are red flags that the prompt is from a rogue site and should be ignored to avoid a potential hack.

Finally, create a strong password to safeguard against WPA2 password hacks. Use a combination of numbers, uppercase and lowercase letters and special characters. You can also add a long passphrase (a long random string of letters, such as to your password to make it difficult to crack, which can deter hackers from attempting brute-force attacks. 

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.


We live in an age where measures like not using your nickname or pet name as the password are not enough to prevent them from being hacked. With new, unusual hacking techniques surfing one after the other, you need to keep yourself up to date with the latest password protection practices to safeguard your personal information. Hopefully, the tips mentioned in this post will help you defend against some of the newer threats.


Why 72% of people still recycle passwords, TechRepublic

Serious Security: Hacking Windows passwords via your wallpaper, Naked Security

Hashcat developer discovers simpler way to crack WPA2 wireless passwords, Help Net Security

Dan Virgillito
Dan Virgillito

Dan Virgillito is a blogger and content strategist with experience in cyber security, social media and tech news.