Well, here are the possibilities
- Social Engineering by knowing about person and answer to questions when resetting password of any account
- Breached Data: Websites get hacked every single day & if there is an account in one of the hacked website database, its easy to get your password. But obviously there is an issue here, now a days websites are using encrypted password hashes means when you enter a password to register in website, that password goes through an algorithem and converts into long hash (set of random numerics & alphabets) and this encrypted password cannot be reversed. And whenever you login next time, that password which you enter gets encrypted with same algorithem and check whether saved hash is same as logging in password. So, there is one possibility to decrypt password which is called brute force. If password is retrieved after brute forcing, and same password is used elsewhere, then you can understand that your password is hacked.
- Phishing: This is a method to make you victim by making you feel like you are logging in to real website and stealing your login details. Assume that you received some threatening mail from your bank about your amount getting withdrawn, most of you are going to click whatever button you find there to check what went wrong which could be a phishing page (looks so similar to real banking page), you are probably going to enter your real username & password & those details will be sent to attacker. So here is the way most criminals practice.
- Bruteforce: As said in previous method, bruteforce is always final option which also consumes a lot of time & storage space. I will be explaining about it in simple way below because your password could be at risk.
Suppose I used a password as abcde & as many websites use different type of password encryption algorithems, these below are its converted encrypted hashes
Encryption Type Encrypted Password
DES: $1$/NEhPgP7$KktqPXE5tiBeE6/Z5xuyH.
MD5: ab56b4d92b40713acc5af89985d4b786
sha1: 03de6c570bfe24bfc328ccd7ca46b76eadaf4334
sha224: bdd03d560993e675516ba5a50638b6531ac2ac3d5847c61916cfced6
sha256: 36bbe50ed96841d10443bcb670d6554f0a34b761be67ec9c4a8ad2c0c44ca42c
sha384: 4c525cbeac729eaf4b4665815bc5db0c84fe6300068a727cf74e2813521565abc0ec57a37ee4d8be89d097c0d2ad52f0
sha512: 878ae65a92e86cac011a570d4c30a7eaec442b85ce8eca0c2952b5e3cc0628c2e79d889ad4d5c7c626986d452dd86374b6ffaa7cd8b67665bef2289a5c70b0a1
ripemd128: a0a954be2a779bfb2129b72110c5782d
ripemd160: 973398b6e6c6cfa6b5e6a5173f195ce3274bf828
ripemd256: 81d8b58a3110a9139b4ddeccb031409e8af023067cf4c6f0b701dab9ecc0eb4e
ripemd320: a94dc1bc825db64e97718305ce36bfef32cc5410a630999678bcd89cc38c424269012ec8c5a95830
whirlpool: 5d745e26ccb20fe655d39c9e7f69455758fbae541cb892b3581e4869244ab35b4fd6078f5d28b1f1a217452a67d9801033d92724a221255a5e377fe9e9e5f0b2
snefru: 8d2891fc6020d7dc93f7561c0cfdde26426192b3e364a1f52b634482009dc8c8
snefru256: 8d2891fc6020d7dc93f7561c0cfdde26426192b3e364a1f52b634482009dc8c8
gost: b18cfd04f92dc1d83325036bc723d36db25ede41ae879d2545fc7f377b700899
crc32: f44d5ba3
crc32b: 8587d865
fnv132: 0e2fc14a
fnv164: 1f6062c561d33a4a
joaat: b98559fc
haval128,3: 51d4032478aa59182916e6c111fa79a6
haval160,3: 8d7c2218bdd8cb0608ba2479751b44bb15f1fc1f
haval192,3: 4a106d88931b60df1ba352782141c473e79019022d65d7a5
haval224,3: 177da8770d5bf50e1b5d82dd60df2635102d490d86f876e70f7a4080
haval256,3: 3913ab70f6219eefe10b202de5991efdbc4a808203bd60bbfbfc043383ae8f90
haval128,4: 61634059d9b8336feb32ca27533ed284
haval160,4: f74b326fe2ce8f5ba151b85b16e67b28fe71f131
haval192,4: 88a58d9011ca363a3f3cd113ffeaa44870c07cc14e94fb1b
haval224,4: 3eef5dc9c3b3de0f142db08b89c21a1fdb1c64d7b169425dba161190
haval256,4: 8f9b46785e52c6c48a0178edc66d3c23c220d15e52c3c8a13e1cd45d21369193
haval128,5: 11c0532f713332d45d6769376dd6eb3b
haval160,5: 53734616dd6761e2a1d2bd520035287972625385
haval192,5: cddf16e273a09e9e2f1d7d4761c2d35e1dd6ee327f1f5afd
haval224,5: d8cbe8d06dc58095ec0e69f1c1a4d4a90893aae80401779ceb6646a9
haval256,5: c464c9a669d5b43e4c34808114dce4ecc732d1b71407e7f05468d0b15bff7e30
tiger128,3: bfd4041233531f1ef1e9a66d7a0cef76
tiger160,3: bfd4041233531f1ef1e9a66d7a0cef76a3e0fe75
tiger192,3: bfd4041233531f1ef1e9a66d7a0cef76a3e0fe756b36a7d7
tiger128,4: 7fd0e2faec50261ef48d3b87c554ee73
tiger160,4: 7fd0e2faec50261ef48d3b87c554ee739e8fbd98
tiger192,4: 7fd0e2faec50261ef48d3b87c554ee739e8fbd98f9a0b332
What if I say you that there is no need for you to get breach data so you can collect password hashes or no need for you to generate any wordlist at all, because this is 2021 and we got 24,108,940,757 words which are been used till now, this is going to be very easy to crack a password right. If you found that password is not from 24 Billion word list, you need to go back and generate wordlists yourself.
Wanna have access to those 24 Billion wordlists / passlists? Here you go.