How can an attacker read passwords by intercepting data transfer (e.g. with a keylogger), and what makes this dangerous?
If an attacker can observe input or unencrypted traffic — via a keylogger, malware, or a tapped network — they capture passwords as you type or send them.
Two main flavours:
-
Keylogger — software or hardware that records every keystroke and ships it to the attacker. It captures the password before any hashing or encryption, in plaintext, including everything you type into any site.
-
Sniffing unencrypted traffic — if credentials travel over the network without encryption, an attacker with access to the firewall, switch, or cabling can simply read them off the wire.
Why it defeats strong passwords:
The capture happens at the source (your keyboard) or in transit, so the password's length and complexity are irrelevant — the attacker sees the exact characters.
How it gets in:
Keyloggers are frequently delivered as malware (the same social-engineering attachments/links), so this attack and social engineering often chain together.
Defenses:
- Keep endpoints clean (anti-malware, patching) to block keyloggers
- Always use encrypted channels (HTTPS/TLS) so sniffed traffic is unreadable
- MFA limits the damage — a captured password alone still isn't enough to log in
Tip: This is one reason MFA matters even with "uncrackable" passwords: a keylogger captures the password trivially, but it can't replay a one-time code or a hardware-key challenge.
Go deeper:
Keystroke logging (Wikipedia) — software/kernel/hardware keyloggers and form-grabbing capture credentials before encryption.