Phishing is one method, the hackers will send false emails, messages, calls, or even websites that are designed to trick users into downloading malware or even sharing their sensitive information and/or personal data, could even trick them into giving up their passwords willingly, so they don’t have to brute force.

There’s also direct connection, if the hacker can get to your device (hardware), they can just plug in any of their specialized device (like a thumb drive) and run some program to compromise the device and use it to steal the device’s data or even control it.

Don’t even use any random USB cables from strangers or charging station lol, those specialized devices can be so small it can fit in the head of a USB cable (the end of the cable that you plug it in).

Imagine it as physical safe secured by combination lock. (In simplest way it actually is)

You can try every possible combination, but that takes time…

Easiest way is to get the right combination elsewhere…

Bad lock will have its password written on it (stored as plaintext)

You can try to make similar looking safe and give it to user. Once they enter the correct combination, you have it too.

You can exploit bug in the lock or the safe itself, to get inside.

You can wait till the user opens the safe and steal the data right from their desk

It depends on what you want to break, but let’s go with user accounts for something.

The first thing you can do is brute force short passwords. I don’t remember where we’re at right now, but cracking 8 character passwords through bruteforce is pretty easy nowadays. It’s basically worth the effort since computational power has come a long way.

From there, you could use leaks from websites. Once you’ve got a database, say from a hack of some organization. There have been quite a few. If the business was stupid enough to store the data in plain text, you already have a head start. People tend to reuse passwords across accounts, same for user names.

You can also crack passwords if they take longer once you have the database. That leads to tables of most commonly used passwords that would be hard to crack quickly. There’s something called [rainbow tables](https://en.wikipedia.org/wiki/Rainbow_table) which makes the cracking a lot faster.

ETA: If you know what you want to hack, you can try something like “Bankname1234” chances are that some will use some scheme like that to remember the password. If a website gives you the rules for passwords like minimum 8 characters, must include a capital letter, at least one number, a special character from this list, and no spaces, you can go to town with likely guesses. The landscape has changed and even the person who wrote some of the early guidelines on passwords [regrets them](https://www.theverge.com/2017/8/7/16107966/password-tips-bill-burr-regrets-advice-nits-cybersecurity)

Of course, if you can get the target to give up their credentials by phishing, spear phishing (targeted phishing), using malware like keyloggers or good ol’ social engineering, then you’re golden.

Password reuse also doesn’t help. There are too many damn password these days to remember them all, that includes workplaces too.

You can also see if some piece of equipment is still on default passwords. A classic is some piece of networking equipment still on the “admin”, “admin” credentials. It basically doesn’t hurt to try these.

Then, you have that one time a [French TV station showed the password on camera](https://www.bbc.com/news/world-europe-32248779). Sometimes, you just have to be at the right place at the right time…

Another important aspect is always making sure to have a unique (as in never used before by anyone) password for things. This isn’t just to mitigate you leaking your password and giving access to everything either.

Say a hacker sniffs your packet as you connect to a secure wifi network. They now have an encrypted copy of the wifi password.

They can’t actually use this to connect, and as you said brute forcing it or using dictionary perm attacks to get the plaintext would (hopefully) take ages. However there are lists available from previous major hacks that include all the user plaintext passwords.

Even if you have an amazing password like ‘13crazypinkcows!’ if you used it to sign up for Neopets or whatever a decade ago then it might have made it’s way onto those lists. Poor passwords that other people might have already used and gotten onto the lists are also a problem. Searching the list only takes like 10min and removes any real design work the hacker needs to crack it. Then they’ll have access to the network and can do other things to trick traffic into getting routed through their computer etc.

A good bare minimum approach to avoiding this problem is to tack qualifiers onto your passwords. E.g. <password>reddit2023, though much more secure is to use a password manager whenever possible so that public sites only ever deal with truly random garbled strings.

I’ve been working in IT for 20+ years. Most of the time hacks and leaks happen because some idiot didn’t change the default username and passwords. It’s amazing how many systems I still come across where they haven’t changed those default setting. They’re just asking to be breached.

12+ years as a software engineer. There are 50 weak links that come before data encryption in terms of security liabilities. If a hacker can, say, steal your credentials via a phishing attack, you’re toast. And many other avenues of attack.

They don’t brute force the encryption. They find a way to steal the password, or guess it, or trick you into accidently revealing it.

IBM estimate that 95% (and no I am not exaggerating) of data leaks are caused by user error.

There are a lot of different ways.

Part of it is the entropy of your encryption will generally decrease over time (processing power improves/becomes more affordable to start scaling) leading to points where an encryption algorithm assumed Pretty Good 15 years ago is now in the costs less than 10 grand in compute time to brute force.

Additionally, novel exploits can reveal “Oh that ecliptic curve is actually predictable this way.”

All that to say, the other comments are accurate, breaking encryption is not as likely as someone social engineering the keys or even just being able to retrieve the decryption keys when they exfiltrated the encrypted data in the first place.

Most encryption breaches are going to be for situations where the individual has already retrieved your data but wasn’t able to get the keys to it (CC info, password manager vaults, your iCloud photo collection).

Encryption itself is very rarely compromised. It’s the implementation of it that is.

As another commenter said, you don’t try every combination to enter the safe, that takes too long. You find flaws in the safe itself that allow you to break it open without needing the code.

Or trick the person into giving you the code.

Or waiting until the safe is unlocked.

Or by using a leaked password database and hope it works.