- Brute Force ('Dictionary') Repetition
- Social Engineering (commonly: phishing)
- Administrator Back Doors
The term "brute force" means to overpower the defense through repetition. In the case of password hacking, brute forcing involves dictionary software that recombines English dictionary words with thousands of varying combination. (Yes, much like a Hollywood safecracker movie scene, but much slower and much less glamorous). Brute force dictionaries always start with simple letters "a", "aa", "aaa", and then eventually moves to full words like "dog", "doggie", "doggy". These brute force dictionaries can make up to 50 attempts per minute in some cases. Given several hours or days, these dictionary tools will overcome any password. The secret is to make it take days to crack your password.
2) Social Engineering Attacks
Social engineering is the modern con game: the hacker manipulates you to divulge your password by using some kind of convincing personal contact. This personal contact might involve direct face-to-face communications, like a pretty girl with a clipboard doing interviews in a shopping mall. Social engineering attacks might also occur over the phone, where a hacker will masquerade as a bank representative calling to confirm your phone number and bank account numbers. The third and most common social engineering attack is called phishing or whaling. Phishing and whaling attacks are deception pages masquerading as legitimate authorities on your computer screen. Phishing/whaling emails will often redirect the victim to a convincing phishing website, where the victim types in their password, believing the website to be their actual bank or online account.
3) Administrator Back Doors
This kind of attack is akin to stealing the building master keys from the building janitor: the perpetrator accesses the system as if they were an entrusted employee. In the case of computer administrators: special all-access accounts allow the user into areas where only trusted network administrator should go. These administrator areas include password recovery options. If the hacker can enter your system with the administrator's account, the hacker can retrieve passwords of most anyone on that system.
Related: How to Make a Good Hacker-Resistant Password
Related: Examples of Good vs. Weak Passwords