LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What is offline cracking, and why is it dramatically more dangerous than online attacks?

Once an attacker has the hash file, they can crack at full speed forever — no rate limits, no lockouts, no detection.

Online hits the rate-limited login form; offline runs a GPU rig against a stolen hash database, unthrottled.

* Online attacks are throttled; offline cracking runs unlimited against stolen hashes. *

Online vs offline:

Attack Speed limit Detection
Online (web login) Server rate limits + lockouts (e.g. 5 attempts/15 min) Easy — server logs failed attempts
Offline cracking Only hardware speed (~billions/sec) Impossible — happens on attacker's machine

The setup:

  1. Attacker breaches a server, exfiltrates the hash database
  2. They take the file home (or to a cloud GPU rig)
  3. They crack at full speed — billions of guesses per second
  4. The breached company never sees a single failed login

Why it changes the math:

Imagine your password takes:

  • 10 seconds with offline GPU brute force, OR
  • 1,000 years with online attacks (3 attempts per minute)

Same password, vastly different security depending on whether the database leaked.

Why this is the defender's nightmare:

  • You can't add rate limiting — the attacker isn't talking to you
  • You can't lock the account — the attacker has the hash, not the live account
  • You can't detect — the cracking happens on someone else's hardware
  • The user has no idea they're being attacked

The only defense:

Make the hashes slow to compute:

  • bcrypt, Argon2 → 100ms per hash → max ~10 attempts/second per CPU core
  • Even with 1000 GPUs, that's ~10,000/sec instead of 100 billion/sec
  • A 12-char password becomes infeasible even offline

This is why password storage matters more than password complexity:

If you use SHA-256 unsalted → an 8-char password falls in minutes offline. If you use Argon2 + salt → even a 6-char password takes years offline.

Tip: Almost every famous password breach involved an offline crack of a leaked database. The "front-door" attack via login form is rare in real-world incidents.

Go deeper:

From Quiz: INTROL / Password Cracking | Updated: Jul 14, 2026