What’s the Difference Between Offline and Online Password Attacks?

The difference between offline and online password attacks could be the thing that prevents your account from being hacked and your organization being breached. In most cases, an attacker is going to be much more successful with an offline password attack than they will be from an online attack. But why? In this blog, we will explore the difference between offline and online password attacks, the advantages of offline password attacks, and the way an attacker can perform an offline password attack.

Online Password Attacks

The difference between offline and online password attacks
An online password attack consists of trying to guess the username and password at the login interface.

Let’s start with the one you are probably most familiar with: online password attacks. Online password attacks are the traditional type of attacks you can expect against a web application, exposed SSH terminal, or really any logon interface. An online password attack consists of trying a large number of username/password combinations against the login portal in hopes of guessing the correct password.

Online password attacks are limited in two key ways. First, they are limited by the speed of the network. Each username/password combination has to be sent over the network to the authentication server and then the server responds accordingly. This time it takes for this back and forth transmission depends widely on the speed of the application server and the speed of the network, but a typical password attack can only get around 3 – 5 login attempts per second.

The second way online password attacks are limited is that they are extremely noisy. When we are attempting 5 logins every second for an average password dictionary (around 10,000 passwords), this is likely going to be flagged by almost any type of logging and alerting mechanism. Additionally, most applications are protected with account lockouts. When a password is guessed incorrectly a certain number of times in a row, it may lock out the targeted account, block the attacker’s IP address, or both.

Offline Password Attacks

Here comes one of the most obvious statements: The difference between offline and online password attacks is that… offline password attacks are offline. Great, but what does that mean? How could a password attack be offline? Well in some cases, an attacker can get a hash of your password that they can take offline and try to crack it.

A hash is just a one-way form of encryption. When your computer saves your password, it doesn’t (or shouldn’t) save your password in clear-text. Instead, it hashes your password and saves that. So, for example, if your password is Password123 your computer will store: 42f749ade7f9e195bf475f37a44cafcb. This way if anyone is able to read the memory of your computer, they won’t be able to know what your password is.

Now when you login to your computer, the computer takes what you put in the password prompt, computes a hash, and compares that hash with the one it stored when you set your password. If the passwords match, you are granted access. An offline password attack will take this hash offline and try to find the clear-text value that computes to that hash. To do this, an attacker will use a computer (or a beefed up computer) to take passwords, compute the hash, and compare them very quickly. This will be performed over and over again until a match is found.

The difference between offline and online password attacks
Cracking passwords has come a long way since World War II.

In terms of advantages, the difference between offline and online password attacks is huge. In an offline password attack, the attacker is never actually attempting to login to the application server. This means it is invisible to the security team and logs. This also means that common protections such as account lockouts will not work. This is because the attacker is going to take it offline, find the password, and then only one correct attempt will be registered by the application.

Another major difference between offline and online password attacks is speed. While online password attacks are limited by the speed of the network, offline password attacks are limited only by the speed of the computer the attacker is using to crack them. To put that in context, we have a cracking machine we built for less than $5,000 that can attempt 3 billion password guesses per second. That means that an 8 character password can be brute forced (every possible combination of characters) in less than 3 days.

How Do Hackers Get My Password Offline?

Ok, so knowing that offline password attacks are much more dangerous, the next logical question is how do attackers get the hashed password that they can take offline. The truth is, there are hundreds of ways an attacker can get your hashed password offline, but let’s look at a few.

  1. Sniffing on the network. When you connect to the shared drive to try to access that file you need, you have to prove you have permissions to view the file you are trying to access. This is what prevents the marketing department from reading the HR folder. The way that works over the network is that the shared drive will send you a challenge, and you will compute a new value using your hashed password and the challenge, and send that back to the server for authorization. If an attacker is able to sniff the network and get both the challenge and the response, they can take them offline and perform a password attack. There are also things an attacker can do to increase the likelihood that they can get this hash, known as NETBIOS Name Server Spoofing or Link-Local Multicast Name Resolution Spoofing. In these attacks, the attacker impersonates the file share, and gets you to authenticate to them! We will cover that more in a future blog.
  2. Dumping memory contents. Once an attacker gains administrative access to a single server or application, they can dump the contents of memory, including the SAM file. Remember above how I said that your computer saves a hash of your password that it checks every time you login? Well, this is saved in the SAM file (for Window’s computers), and an attacker with admin level access can dump this file, revealing the hashes of all local accounts on the system. Similarly, if an attacker gains access to a database, they can dump the user table which may contain password hashes.
  3. NTDS File. If an attacker is able to get domain administrator credentials and gain access to the domain controller, they can gain access to the NTDS file. This file holds the hashed password for every user on the domain. This is obviously worst case scenario for an organization and a pot of gold for an attacker looking to launch offline password attacks.

How Can I Protect My Password?

Knowing all this, the next step is to protect your password. In order to do this, we recommend taking a layered approach, as there is no silver bullet to protect against password attacks.

  1. Prevent an attacker from getting your password offline. This first one is obvious, and it may be hard to do, but any step you can take that can prevent an attacker from gaining that initial access to the hashes to take them offline should be prioritized. This includes many common security best practices, such as ensuring systems are patched and up to date, performing system hardening to remove unnecessary functionality and services, increasing and customizing logging and alerting, etc.
  2. Reduce the severity of the password disclosure. As we discussed above, there is a fairly good chance a dedicated attacker can get valid credentials. If not yours, then one of your users who has their password based on their dog’s name. Therefore, you should take actions to reduce the severity of the incident when that happens. This can include steps such as having a different password for each application, strict use of least privilege when permitting access, using multi-factor authentication anywhere possible, and requiring users to change passwords regularly.
  3. Increase the strength of your passwords. Also discussed above, if your password is only 8 characters in length, an attacker can reasonably get the password (no matter what it is) in under 3 days. This should make it painfully clear that 8 characters is no longer sufficient. See our blog on the difference between passwords and passphrase for a more detailed explanation.

Conclusion

In this blog we explored the difference between offline and online password attacks. We covered why offline password attacks are much more likely to be successful, and how an attacker is likely to get password hashes offline in order to perform these attacks. Finally, we covered three broad options to protect your passwords better. Let us know if you still have questions or you’d like to learn more about assessing the password security for your organization.