[Lex-2008]

From the article:

> Servers store passwords in the form of hashes, so even if a hacker steals the database, they see the hashes, not the actual password.

So as I understand it, the article assumes that someone hacked a website where you had an account, and want to get your password (for the hacked website), in order to try using the same (username and) password to get access to your account on other websites.

Or, as other comments mentioned, they might intercept wifi authentication packets (which contain hash of the wifi password), and try to get wifi password from it.

[atmanactive]

Ah yes, thanks for the clarification. So, two mishaps are needed for this to work: a site needs to be hacked and the user database stolen, and, a person needs to use the same user/password for all sites. Takeaway: never use the same password twice. Got it.

[matthewmacleod]

AND that site has to be using unsalted MD5 password hashes, in which case you were already doomed

[ranger_danger]

Salts do not make brute-forcing any more "difficult" though if that's the method you're using to crack with.

[matthewmacleod]

Of course this is correct (merely makes it so that you have to brute force instead of look up in your book)!