LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What is the difference between an online and an offline attack on passwords?

Online = attacker tries passwords through the system's normal login interface. Offline = attacker has stolen the password file/database and can try unlimited candidates locally against the hash.

Online Offline
Setup Attack the legitimate login flow Steal the password DB first
Speed Limited by network + server rate-limits Limited only by attacker's hardware (GPUs, ASICs)
Visibility Generates failed-login events the defender sees Completely invisible to the victim
Example Trying passwords against a website Cracking the leaked hash dump from a breach

Why the distinction matters: the defenses are completely different.

  • Against online: rate-limiting, account lockout, CAPTCHAs, geolocation anomaly detection. These all work because the defender is in the loop.
  • Against offline: the defender is not in the loop — once the hash file is stolen, it's the attacker's hardware vs. your hashing function. Defense is only "make hashing slow" (Argon2, bcrypt, scrypt) and "make passwords long" (so they survive the slow hashing).

Tip: Online defenses are powerless once a database leaks — every password file should be designed assuming it will eventually be stolen. That's the right threat model.

From Quiz: ISF / Session Handling & Login Protocols | Updated: Jul 14, 2026