What is offline cracking, and why is it dramatically more dangerous than online attacks?
Once an attacker has the hash file, they can crack at full speed forever — no rate limits, no lockouts, no detection.
* Online attacks are throttled; offline cracking runs unlimited against stolen hashes. *
Online vs offline:
| Attack | Speed limit | Detection |
|---|---|---|
| Online (web login) | Server rate limits + lockouts (e.g. 5 attempts/15 min) | Easy — server logs failed attempts |
| Offline cracking | Only hardware speed (~billions/sec) | Impossible — happens on attacker's machine |
The setup:
- Attacker breaches a server, exfiltrates the hash database
- They take the file home (or to a cloud GPU rig)
- They crack at full speed — billions of guesses per second
- The breached company never sees a single failed login
Why it changes the math:
Imagine your password takes:
- 10 seconds with offline GPU brute force, OR
- 1,000 years with online attacks (3 attempts per minute)
Same password, vastly different security depending on whether the database leaked.
Why this is the defender's nightmare:
- You can't add rate limiting — the attacker isn't talking to you
- You can't lock the account — the attacker has the hash, not the live account
- You can't detect — the cracking happens on someone else's hardware
- The user has no idea they're being attacked
The only defense:
Make the hashes slow to compute:
- bcrypt, Argon2 → 100ms per hash → max ~10 attempts/second per CPU core
- Even with 1000 GPUs, that's ~10,000/sec instead of 100 billion/sec
- A 12-char password becomes infeasible even offline
This is why password storage matters more than password complexity:
If you use SHA-256 unsalted → an 8-char password falls in minutes offline. If you use Argon2 + salt → even a 6-char password takes years offline.
Tip: Almost every famous password breach involved an offline crack of a leaked database. The "front-door" attack via login form is rare in real-world incidents.
Go deeper:
Password cracking (Wikipedia) — contrasts lockout-limited online attacks with unlimited offline guessing against a stolen hash.