Offline password attacks

In contrast to online password attacks, offline attacks assume that the attacker already has access to password hashes. This may occur as a result of a database leak or unauthorized access to a compromised system. Password candidates are then tested locally, completely independent of the original system’s protection mechanisms.

A cryptographic hash function represents a one-way function that maps input data of arbitrary size to a fixed-length value. Recovering a password therefore does not mean “reversing” the hash, but rather finding an input that produces the same hash value.

Key Success Factors

The success of an offline attack primarily depends on three factors:

1. Computational Power:
   The more processing power is available, the more password candidates can be tested per second. Modern GPUs enable massive parallelization and can reach billions of attempts per second for simple hash functions.

2. Password Strength:
   As password length and complexity increase, the search space grows exponentially. This significantly increases the time required for a successful attack.

3. Hash Algorithm:
   Traditional functions such as MD5 or SHA-1 are computationally efficient and therefore particularly vulnerable. Modern algorithms such as bcrypt, scrypt, or Argon2 deliberately increase computational and memory cost (key stretching), significantly slowing down attacks.

The Role of Salt and Collisions

Cryptographic hash functions are designed such that it is practically infeasible to generate collisions, meaning two different inputs that result in the same hash value. However, for password attacks, this property is of limited relevance. In practice, attackers do not search for arbitrary collisions but attempt to recover the original password through systematic guessing.

A key defensive mechanism is the use of a salt. A salt is a random value that is combined with the password before hashing. This ensures that identical passwords do not produce identical hashes.

In addition, salt prevents the efficient use of precomputed attacks such as rainbow tables, since separate computations are required for each hash. As a result, attack results cannot be reused across different datasets.

Tools and Specialized Techniques

In practice, various tools are used, each with specific strengths:

• hashcat:
  Considered the standard tool for high-speed password cracking due to its strong GPU support.

• John the Ripper (JtR):
  Known for its flexibility and support for a wide range of hash formats, including less common ones. It is often used for CPU-based analysis and as a complement to other tools.

• Rule-based Attacks:
  Instead of using static wordlists, rules are applied to systematically modify words, for example by replacing characters, appending numbers, or inserting special characters. This approach closely models real-world password patterns and is often more effective than pure brute force.

• Rainbow Tables and Specialized Tools:
  Tools such as Ophcrack use precomputed tables to quickly resolve hashes. This technique is only effective for outdated or unsalted hash schemes (e.g., LM hashes) and is largely irrelevant in modern systems.

• CyberChef:
  A versatile tool for quickly identifying hash types and performing basic cryptographic analysis and data preparation.

Conclusion

Offline password attacks are highly efficient, as they are not limited by network latency or defensive mechanisms such as rate limiting or account lockouts. Once an attacker gains access to password hashes, security primarily depends on password strength and the quality of the hashing algorithm used.

Modern hashing algorithms combined with strong passwords can increase the cost of an attack to the point where it becomes practically infeasible.