Subscribe to the Non-Human & AI Identity Journal

Offline Cracking

Offline cracking is the process of testing password guesses against captured encrypted material without interacting with the live system. It matters because it avoids lockout and detection controls, making password strength and breach exposure the deciding factors in whether an attacker succeeds.

Expanded Definition

Offline cracking is the process of guessing passwords or secrets against captured encrypted material, such as password hashes, token-derived artifacts, or protected credential stores, without querying the live target system. In NHI security, the distinction matters because the attacker is no longer limited by rate limits, MFA prompts, account lockouts, or anomaly detection on the production path.

Definitions vary across vendors when the target is not a classic password hash. Some teams use the term narrowly for password hash cracking, while others apply it more broadly to any offline recovery attempt against secrets that can be tested locally. In practice, the relevant question is whether the attacker can iterate privately until the material yields. NIST SP 800-53 Rev. 5 Security and Privacy Controls provides a useful control-oriented lens for protecting stored authenticators and limiting exposure of credential material. The most common misapplication is treating offline cracking as a login problem, which occurs when teams focus on authentication controls while leaving exposed hashes, weak key derivation, or leaked backups unaddressed.

Examples and Use Cases

Implementing defenses against offline cracking rigorously often introduces operational friction, requiring organisations to weigh stronger credential handling against easier recovery and support workflows.

  • A leaked service account hash is captured from a stolen backup and tested privately until the attacker finds a weak password, bypassing lockout and alerting controls.
  • An API key stored in a misconfigured artifact repository is extracted from an encrypted bundle and brute-forced offline after the attacker obtains the cipher material.
  • A CI/CD secret is recovered from an old build image, then validated offline against candidate values before the attacker uses it in a later intrusion.
  • During a breach investigation, defenders assume a secret is safe because the live account was disabled, but the attacker already completed offline testing from exported credential material.

These scenarios align with the broader NHI exposure patterns described in the Ultimate Guide to NHIs, where secret sprawl and long-lived credentials amplify downstream risk. The same logic applies to password verification guidance in NIST SP 800-53 Rev 5 Security and Privacy Controls, especially where stored authenticators and credential lifecycle controls are concerned.

Why It Matters in NHI Security

Offline cracking is especially dangerous for NHIs because service accounts, automation tokens, and API keys are often long-lived, broadly permissioned, and stored in more places than human credentials. NHIMG research shows that 79% of organisations have experienced secrets leaks, and 77% of those incidents caused tangible damage, which makes captured credential material a practical attack path rather than a theoretical one. The Ultimate Guide to NHIs also reports that 96% of organisations store secrets outside secrets managers in vulnerable locations, which increases the chance that attackers can obtain material suitable for offline testing.

From a governance perspective, this term matters because the risk is not just that a secret exists, but that its protective strength can be measured after theft. Strong hashing, salt strategy, key stretching, secret rotation, and removal of exposed backups all reduce the value of captured material. Organisations that ignore offline cracking often discover the issue only after a token dump, leaked repository, or stolen image reveals that a credential can be tested privately at scale, at which point remediation becomes operationally unavoidable.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST SP 800-63, NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-02 Covers improper secret handling and exposure that enables offline password testing.
NIST SP 800-63 AAL2 Assurance guidance helps bound the strength of authenticators subject to offline attack.
NIST CSF 2.0 PR.AC-1 Identity proofing and access control weaken when stored credentials are crackable offline.
NIST Zero Trust (SP 800-207) SC-2 Zero trust assumes credentials may be stolen, so offline cracking risk must be minimized.
NIST AI RMF Risk management requires evaluating how easily stolen secrets can be brute-forced offline.

Inventory exposed credential material, harden storage, and rotate secrets before they can be cracked offline.