> Servers store passwords in the form of hashes, so even if a hacker steals the database, they see the hashes, not the actual password.
So as I understand it, the article assumes that someone hacked a website where you had an account, and want to get your password (for the hacked website), in order to try using the same (username and) password to get access to your account on other websites.
Or, as other comments mentioned, they might intercept wifi authentication packets (which contain hash of the wifi password), and try to get wifi password from it.
Ah yes, thanks for the clarification. So, two mishaps are needed for this to work: a site needs to be hacked and the user database stolen, and, a person needs to use the same user/password for all sites. Takeaway: never use the same password twice. Got it.
Generally speaking you can divide attacks like these into two types, online and offline.
In an offline attack, the attacker has somehow gained access to some encrypted and/or hashed secrets, and they're trying to break the encryption or reverse the hash. There's nothing getting in their way except for time and compute power.
In an online attack, there is some system in between the attacker and the target, like an authentication server, that can implement stuff like fail2ban, captchas, rate limiting, etc.
Even if they did not explicitly implement rate limiting, an online attack is going to take enormously longer to execute. Querying an online service is going to add say 100msec roundtrip on top of the actual password hashing time.
I thought guidelines were that passwords should take 500msec to calculate. So, call it 600 msec per submitted password. Many servers will melt before being able to respond to any serious brute forcing attempt.
> Servers store passwords in the form of hashes, so even if a hacker steals the database, they see the hashes, not the actual password.
So as I understand it, the article assumes that someone hacked a website where you had an account, and want to get your password (for the hacked website), in order to try using the same (username and) password to get access to your account on other websites.
Or, as other comments mentioned, they might intercept wifi authentication packets (which contain hash of the wifi password), and try to get wifi password from it.