It's computationally expensive to hash every single possible password, but given a proposed login/password combo, it's not expensive to check just the one. If Google, in crawling, finds a dump of several million accounts and their purported passwords, it's not a heavy lift to check each password.