Every hacker remembers the trick with which they first started their illegal but admittedly exciting hobby. These days, that first trick is most likely a simple downloaded tool or one copied from a friend, something like a buffer overflow that grabs root and presents the rush of complete control. But in my day, it was much, much simpler than that.

It was a trick that the present generation would, I’m sure, dismiss as being too easy or, in many cases now, downright impossible over the internet. In the years that followed my first hack, I learned a lot about manipulating systems, analysing technical vulnerabilities, generating bespoke viruses and the like. But my first hack was a simple “shoulder-surf” – looking over someone’s shoulder to note their password.

It is remarkably easy when you get the habit. Most passwords are reasonably short and meaningful to their users. Six or eight characters is the norm, with some logic to them: names, dates or common words like star signs. And the trick for shoulder surfing is not to be too greedy when watching. Let me give you a quick master-class, on the assumption that you have several chances to observe your target.

First, count the number of keys pressed – it’s useful when it’s your turn to have an idea of the guesswork involved. And for this, you don’t even have to be carefully watching, just listening attentively.

You’re now onto the second phase: catching some of the keys.

In a firm that changes passwords frequently, your best opportunity is when the password is relatively new: the target will be typing it much slower than they will later, as they get use to the hand patterns involved. There are several techniques, but my preferred one is to try to catch the first three characters on the second entry. Don’t try to work out what the keys actually are, there and then; instead, watch for the keyboard location of the keys – try to get the vague idea of where their fingers move to.

With luck and a little replay inside your head, you will now know the length and the first three characters. In many cases, this might be enough to start a list of possible values: did the fingers just strike the number pad? It’s a birth date or a telephone number, in all probability. Were the keys the first few letters of some common word? Well, you’re a long way towards guessing it.

Now, look for the final key struck before they hit return. You’ll have to be fast since most people make those final two movements very rapidly, but if you can, then you have the length, the first three characters and the last one. In all probability, you can now guess – but if not, think about possible options and what you might expect the last three characters to be. One more observation and you have it!

How do you guard against this? Well, obviously, use long passwords, mix numbers and the shift key and practise until you can type it as rapidly as possible. And finally, make sure that I’m not standing behind you!