What is social engineering as a way of obtaining passwords, and why does it bypass even perfect technical defenses?
Social engineering tricks a person into handing over their password (or running malware that captures it) — it attacks the human, not the math.
The idea:
Instead of cracking a hash, the attacker manipulates the user. Classic examples:
- Emails with malicious attachments (macros) or links to infected/look-alike sites
- A "support desk" phone call asking you to "confirm" your password
- A fake login page (phishing) that captures whatever you type
Why it works:
No amount of hashing, salting, or password length helps if the user simply gives away the secret. People are trusting, busy, and easy to pressure with urgency ("your account will be locked in 10 minutes!").
Why it's so common:
It's often cheaper and faster than computation. Why rent a GPU cluster to crack a 16-character password when you can email a convincing PDF and have the victim type it for you?
Defenses:
- Be suspicious of unexpected attachments, links, and urgent requests
- Verify the sender and the real URL before entering credentials
- Use phishing-resistant MFA (FIDO2/passkeys) — even a captured password is useless without the bound second factor
- Security-awareness training for staff
Tip: Phishing-resistant hardware keys (FIDO2) are the strongest counter, because the key only releases its secret to the genuine site origin — a fake login page gets nothing.
Go deeper:
Social engineering (security) (Wikipedia) — pretexting, phishing, quid-pro-quo: attacking the human, not the crypto.