Security News > 2021 > June > How to hack into 5500 accounts… just using “credential stuffing”
If a sloppy internet service stores your password in plaintext and then gets breached, the crooks acquire your actual password directly, regardless of how complex it is.
Keylogging malware on your computer can capture your passwords as you type, thus obtaining them "At source", no matter how long or weird they might be.
Password re-use is why cybercriminals use a trick called credential stuffing to try to turn a hack that worked on one account into a hack that will work on another.
If they know that one of your accounts was protected by yjCMth15SU,atTWT?, it costs almost nothing in time or effort to see if any of your other accounts use the same password, or one that's obviously related to it, giving the crooks a two-for-the-price-of-one attack.
The suspect, claims the DOJ, simply tried the already-known passwords of thousands of users against their accounts on an online payroll service in New York.
Password managers generate random and unrelated passwords for each account, so there are no similarities a crook could figure out, even if one of the password gets compromised.