Passwords still sit on critical paths in many medical device ecosystems: clinician portals, customer admin consoles, service tooling, manufacturing systems, and cloud dashboards. When attackers go after credentials, they usually use one of two strategies:
- Online attacks (guessing against a live login page, API, VPN, or IdP)
- Offline attacks (cracking stolen password hashes without touching your login system)
The difference matters because the best defenses are different. Online attacks are constrained by rate limits and detection. Offline attacks are constrained by how well you store passwords (hashing, salting, and work factor) and how quickly you detect and contain a breach.
Quick definitions: online vs offline password attacks
Online password attacks
Online attacks happen when an attacker sends login attempts to your application or identity layer. Common patterns include password spraying, credential stuffing (reused leaked passwords), and brute-force guessing. These attempts hit your systems, which means you can throttle them and alert on them if you have the right controls in place.
If you want a practical breakdown of spraying behavior and defenses, see Tackling Password Spraying Attacks and How Hackers Guess Your Password.
Offline password attacks
Offline attacks happen after an attacker obtains a password database (or similar authentication artifacts) from a compromised system. Instead of guessing against your login endpoint, they guess offline by comparing candidate passwords to stolen hashes.
Offline attacks are dangerous because they:
- Do not trigger your online lockouts or CAPTCHA
- Scale well with specialized compute
- Depend heavily on password storage design, not just “strong passwords”
Why this matters for medical device manufacturers
Even if your device itself does not have interactive “user accounts,” your ecosystem probably does. In MedTech, the hotspots are often service tooling, cloud portals, and manufacturing or test environments. If those credentials get compromised, the impact can extend beyond “IT risk” into device availability, data exposure, update integrity, and patient safety.
Defending against online password attacks
1) Require MFA where it counts
Passwords alone are not enough for high-value accounts like admins, service, support, and cloud operations. Start by enforcing multi-factor authentication (MFA) for privileged and remote access paths. CISA’s MFA guidance is a solid baseline reference for why MFA matters and how it reduces account takeover risk: CISA: Multifactor Authentication.
2) Rate-limit and throttle in a way that stops real attacks
Online guessing only works when attackers can try lots of attempts. Use rate limiting, progressive throttling, and alerts for patterns like repeated failures across many accounts (spraying) or a single account (brute force). Make sure you are logging authentication attempts with enough detail to investigate quickly.
3) Reduce credential stuffing success
Credential stuffing is mostly a “reused password” problem, so you want controls that cut it off early. NIST includes practical guidance for memorized secrets, including screening new passwords against commonly used or compromised values: NIST SP 800-63B.
4) Harden account recovery
Attackers love weak “forgot password” flows. Treat recovery as a privileged pathway: require MFA where possible, tighten verification, and log and review recovery events. If you have service accounts or emergency access, make sure those workflows are documented and auditable.
Access control matters here too. If you want to tighten roles and permissions so a compromised account does less damage, see Permissions vs Rights and ACLs in Cybersecurity.
Defending against offline password attacks
1) Store passwords with modern password hashing
If a password database is stolen, your goal is to make offline guessing slow and expensive. That means using purpose-built password hashing, not “encryption” and not fast general-purpose hashes. OWASP’s guidance is the best quick reference for what “good” looks like, including modern algorithms, salting, and work factors: OWASP: Password Storage Cheat Sheet.
2) Always use unique salts, and consider a pepper
Salts prevent attackers from reusing precomputed work across users. A server-side pepper (stored separately from the database) can add defense in depth. OWASP covers the tradeoffs and practical implementation considerations in the same cheat sheet: OWASP: Password Storage Cheat Sheet.
3) Treat service accounts and shared credentials as high-risk
Shared credentials and long-lived passwords show up in manufacturing and service environments more often than people like to admit. Prefer unique accounts, least privilege, credential rotation, and strong monitoring. If you need help building a realistic access model for those workflows, medical device threat modeling is often the fastest way to map where credential compromise becomes a safety or compliance problem.
4) Assume breach and plan containment
If an attacker has hashes, you need containment. That can include forced resets (based on risk), invalidating sessions or tokens, reviewing privileged access paths, and tightening monitoring. Offline defense is not just password storage, it is incident readiness.
FDA-facing angle: how to make this defensible (not just “best practice”)
The FDA’s current cybersecurity guidance emphasizes secure-by-design and lifecycle controls, including authentication and authorization across the device ecosystem. A good evidence story ties together threats, requirements, implementation, verification, and postmarket operations. The FDA’s guidance is here: FDA: Cybersecurity in Medical Devices (Premarket Guidance).
If you want help turning authentication controls into reviewer-friendly documentation, these are the typical paths we support: FDA premarket cybersecurity services for submission evidence, FDA postmarket cybersecurity services for ongoing operations, and FDA-compliant vulnerability and penetration testing to validate controls. For older products that cannot be easily modernized, legacy medical device cybersecurity services can help reduce risk with compensating controls.
Key takeaways
- Online attacks hit your login systems. Defend with MFA, rate limiting, detection, and hardened recovery.
- Offline attacks happen after hash theft. Defend with modern password hashing, unique salts, and strong incident readiness.
- In MedTech, the biggest credential risk often lives in service tooling, cloud portals, and manufacturing systems, not just the device UI.
- For FDA-facing credibility, document threats, controls, and verification evidence across the total product lifecycle.
FAQs
Which is worse: online or offline password attacks?
Offline is often more dangerous once a password database is stolen because attackers can guess without lockouts and scale their effort. Online attacks can be throttled and detected if controls are implemented correctly.
Does MFA stop offline attacks?
MFA does not stop offline cracking of stolen hashes, but it can prevent cracked passwords from being used to log in. That is why MFA is especially important for privileged and remote access accounts. For a clear baseline explanation, see CISA: Multifactor Authentication.
What is the best way to protect stored passwords?
Use modern password hashing with unique salts and appropriate parameters that make guessing slow. OWASP’s password storage guidance is the most practical reference for teams implementing this in real systems: OWASP: Password Storage Cheat Sheet.
What is the biggest mistake teams make defending against online attacks?
Relying on “strong passwords” alone. Without MFA, rate limits, monitoring, and hardened recovery, online guessing and credential stuffing remain viable.
How do I explain these controls in an FDA submission?
Show traceability: threat modeling for online and offline credential attacks, requirements for MFA and rate limiting, secure password storage design choices, verification evidence, and postmarket monitoring and response procedures. FDA’s premarket guidance is a good anchor reference: FDA: Cybersecurity in Medical Devices.
Book a Discovery Session
If you want a practical review of your authentication attack surface (device ecosystem, cloud portals, service tooling) and a plan you can defend to FDA reviewers, we can help.
Conclusion
“Password security” is really two problems. Online attacks are about throttling and detection at the login boundary. Offline attacks are about what happens after compromise: whether your stored credentials are resilient to cracking and whether your team can contain impact quickly. For MedTech teams, the win is designing both layers intentionally, then backing it up with testable evidence and an operational plan that holds up over the product lifecycle.