← Concepts
Threats, Vulnerabilities, and MitigationsSY0-701 · Task 2.4

Password attacks — SY0-701

Security+ SY0-701 concept: password attacks — offline vs. online attack distinction, NIST-grounded definitions, exam misconceptions, and countermeasures.

WHAT IT IS

A password attack is an attempt to gain unauthorized access to system services, resources, or information by targeting the memorized secret used during authentication. NIST defines a memorized secret as "a type of authenticator consisting of a character string that is intended to be memorized or memorable by the subscriber to permit the claimant to demonstrate something they know as part of an authentication process" (NIST SP 800-63-4). Attacking that authenticator means attempting to discover, defeat, or circumvent it so the attacker can impersonate a legitimate claimant.

Mental model

The most clarifying frame for password attacks is the location of the attack relative to the verifier — not the technique used. NIST SP 800-63-4 draws a firm line between two categories:

  • An offline attack is one "wherein the attacker obtains data (such as through eavesdropping on authentication transactions or stealing security files from a compromised system) and subsequently analyzes that data using their own systems." The verifier is no longer in the loop — the attacker works against captured data at their own pace.
  • An online attack is one "against an authentication protocol in which the attacker either assumes the role of a claimant with a genuine verifier or actively alters the authentication channel." The verifier is live and can observe, throttle, or lock out the attacker.

This distinction — offline vs. online — governs which defenses are relevant and explains why the same guessing strategy carries very different risk depending on where it runs.

When to use it

The exam often presents a scenario and asks you to identify the attack category, or presents an attack and asks which defense applies. The table below grounds the key distinction.

DimensionOffline attackOnline attack
Where the attempt happensAttacker's own systems, against captured dataLive authentication channel, against an active verifier
Verifier awarenessVerifier cannot observe or throttle attemptsVerifier can detect unusual attempt rates and lock accounts
Example data the attacker needs firstIntercepted authentication transaction data or stolen credential files (NIST SP 800-63-4)None beyond a working login endpoint
Primary countermeasure typeProtecting stored credential data; strong one-way transformsRate limiting, account lockout, and monitoring on the verifier side

When a scenario describes an attacker who has already obtained a file or captured traffic and is working offline, the relevant attack class is offline. When the attacker is submitting attempts directly to a live system, the attack is online.

COMMON MISCONCEPTION

Candidates commonly treat the technique (trying many passwords, trying common words, using precomputed values) as the defining attribute of the attack. The NIST-grounded distinction is actually about where the work happens — offline (against captured data, on the attacker's own systems) vs. online (against a live verifier). A scenario that describes an attacker using a list of likely values against a live login prompt describes an online attack constrained by whatever the verifier will tolerate. The same technique applied to a stolen credential file is an offline attack unconstrained by the verifier. Conflating the two leads to recommending the wrong countermeasure: account lockout does nothing to stop offline analysis of stolen data, and protecting stored secrets does nothing to stop live attempts.

How it shows up on the exam

Questions targeting this concept typically ask candidates to:

  • Classify a described scenario as an offline or online attack and select the matching defensive control.
  • Select the countermeasure appropriate for a given attack context — a common misconception is applying account lockout to offline attack scenarios, where the verifier is not involved.
  • Recognize the prerequisite for an offline attack: the attacker must first obtain authentication data (through eavesdropping or system compromise, per NIST SP 800-63-4) before the offline analysis can begin.

Signal phrases to watch for: "obtained a file," "captured authentication traffic," "stolen from a compromised system" point toward offline. "Submitting attempts," "login page," "authentication endpoint" point toward online.

The cognitive target is distinguishing the two attack surfaces cleanly enough to match the attack to its countermeasure — not simply naming a technique.

Related concepts

  • Malware types — malware is frequently the mechanism used to exfiltrate stored credential data, enabling offline attacks.
  • Ransomware — ransomware actors often harvest credentials before encrypting data, combining password attacks with their campaigns.
  • Rootkits and logic bombs — rootkits can facilitate persistent access to credential stores, feeding offline attack workflows.

Sources

Every claim on this page traces to the public exam blueprint and official documentation:

CutScore is an independent study tool and is not affiliated with, authorized by, endorsed by, or sponsored by Amazon Web Services. “AWS” and “AWS Certified AI Practitioner” are trademarks of Amazon.com, Inc. or its affiliates. All content is independently authored from the public exam blueprint and official documentation — no real exam content is used.

The exam-readiness instrument. Know if you’re ready before you book.

Product
PricingConceptsBlog
Legal
PrivacyTermsRefund policy
Company
Contact
© 2026 The Plain Works Co.AWS and AWS Certified AI Practitioner are trademarks of Amazon.com, Inc. or its affiliates. CutScore is independent and not affiliated with, endorsed by, or sponsored by Amazon Web Services.