Quiz Entry - updated: 2026.07.14
What is the difference between an online and an offline attack on passwords?
Online = attacker tries passwords through the system's normal login interface. Offline = attacker has stolen the password file/database and can try unlimited candidates locally against the hash.
| Online | Offline | |
|---|---|---|
| Setup | Attack the legitimate login flow | Steal the password DB first |
| Speed | Limited by network + server rate-limits | Limited only by attacker's hardware (GPUs, ASICs) |
| Visibility | Generates failed-login events the defender sees | Completely invisible to the victim |
| Example | Trying passwords against a website | Cracking the leaked hash dump from a breach |
Why the distinction matters: the defenses are completely different.
- Against online: rate-limiting, account lockout, CAPTCHAs, geolocation anomaly detection. These all work because the defender is in the loop.
- Against offline: the defender is not in the loop — once the hash file is stolen, it's the attacker's hardware vs. your hashing function. Defense is only "make hashing slow" (Argon2, bcrypt, scrypt) and "make passwords long" (so they survive the slow hashing).
Tip: Online defenses are powerless once a database leaks — every password file should be designed assuming it will eventually be stolen. That's the right threat model.