Online vs. Offline Password Attacks: Key Differences Every Security Pro Should Know
Password attacks in offensive security fall into two distinct categories — online and offline — and choosing the wrong approach can waste time, trigger account lockouts, or expose a security engagement. Online attacks target live services like SSH or RDP using tools such as Hydra and Medusa, but are slow, noisy, and vulnerable to rate limiting and lockout policies. Offline attacks work against already-obtained password hashes using tools like Hashcat or John the Ripper, offering speed and silence but requiring prior access to hash data. A third scenario involves plaintext credentials, which calls for credential stuffing rather than any brute-force method. Defenders can counter online attacks with rate limiting and multi-factor authentication, while offline threats are best mitigated by using modern, slow, salted hashing algorithms to protect stored credentials.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)
Log in to join the discussion and vote.
Log in