"Cracking" is actually a high-speed guessing game. The attacker takes a wordlist (like rockyou.txt ), hashes it using the same algorithm, and asks: "Does my hash match the stolen hash?"
So, if the database is leaked, the hacker doesn't see Password123! . They see the hash. Here is the nuance: We don't reverse hashes. We guess them. crackshash password
Within 15 minutes, 60% of the database is plaintext. The Ominous Reality You might think your ThisIsMySecurePassword! is safe. But consider the law of large numbers . An attacker doesn't need your password. They need anyone's password. "Cracking" is actually a high-speed guessing game
They fire up Hashcat: hashcat -m 1400 -a 0 hashes.txt rockyou.txt (Flag -m 1400 = SHA-256, -a 0 = straight wordlist). They see the hash
If you have spent any time in the darker corners of cybersecurity forums, red team Slack channels, or data breach notification sites, you have seen the term
The hacker looks at: $SHA256$dGhpcyBpcyBhIHNhbHQ$5e884898da... They see the $ separators and know it’s SHA-256 with a salt.