Offline Password Attacks
A threat actor can acquire password hash files by exploiting a vulnerable database; already having access to an internal network; from a data breach; or a myriad of other ways. With these password hash files, a threat actor can conduct offline password attacks. An offline password attack is where a threat actor utilizes computer hardware like graphic cards to run powerful specialized tools dedicated to decrypting and cracking hashed passwords. This is different from an online password attack, such as a brute force password spray attack, which has limitations due to lockout policies, firewall rules, or other security controls that could block the attack. When threat actors have a password hash file offline, they have unlimited time to use their computer hardware to crack password hashes.
There are several protection measures that significantly increase the computational resources needed to crack passwords, which then deter threat actors. These methods include utilizing stronger password hashing algorithms and authentication methods, using password managers, implementing Mutli-Factor Authentication (MFA) that requires users to have multiple forms of verifying their identity, and enforcement of strong password policies. Additionally, utilizing tools such as password blacklists to prevent the use of breached or easily guessable passwords can be effective in limiting the attack surface of offline cracking.
By using these various forms of protection, conducting regular penetration tests and password audits the risk of credential leaks and accounts being compromised from both online and offline password attacks is greatly reduced.
Neovera SV (formerly 10-D Security) is an independent firm specializing in IT security and compliance for financial institutions. We help clients mitigate risk and comply with GLBA requirements, offering tailored services and expertise to strengthen cybersecurity programs.