Shitty sites that store PWs in plain text, or they get compromised and the password is figured out from the hash. Probably the most common way right now is phishing, and with AI/LLM it’s pretty easy to do spearphishing attacks on a large scale. The target enters their password on a seemingly legit site, but it’s actually an attacker’s site that logs the PW. There are lots of ways to get a password, and password-only authentication is considered pretty weak, even with a “strong” password.
Shitty sites that store PWs in plain text, or they get compromised and the password is figured out from the hash. Probably the most common way right now is phishing, and with AI/LLM it’s pretty easy to do spearphishing attacks on a large scale. The target enters their password on a seemingly legit site, but it’s actually an attacker’s site that logs the PW. There are lots of ways to get a password, and password-only authentication is considered pretty weak, even with a “strong” password.