Just to summarize what BoulderBoy and jchef already described, a password database might look something like this:
Code: Select all
username userID email address other plaintext information password salt hashed password
The attacker would then simplify this down to the password salt and hashed password, and perhaps the username (although they could just look that up in the original table later on).
The first pass would be to remove any duplicates (normally people with the same password and salt, although occasionally hash functions have "collisions" where entirely different passwords + same salts = same hash). The second pass would be to look up the salt+hash in a rainbow table (the tables BoulderBoy described) to find all of the "low-hanging fruit". All hash functions are vulnerable to this pass, regardless of time complexity of the hash function (only storage space complexity bounds rainbow table attacks, which is why longer passwords are generally better, it usually takes too much space to store the hashes and salts of really long passwords).
The third pass is to send the remaining salts and hashes to a GPU cracking rig, or perhaps even distribute it amongst many GPU cracking rigs. They don't have to jump straight into brute force at this point either. They can do pattern analysis in order to guide the search. In the case where they already have a corpus of cracked passwords of the size of this particular gang, they could even do targeted pattern analysis (e.g. look up the email address on the already cracked sites list to see if the user has a simple password scheme like basePattern+siteName). This will get them the remaining low-to-mid-hanging fruit (e.g. moderate length passwords, long passwords built off common phrases, long passwords built off patterns).
They then can move on to brute-forcing the remaining hashes. This involves generating all permutations of a x character password in the 96 character printable character set (or the high-order ASCII set, but that's more complexity), hashing them with the salt and seeing if it matches the stored password hash. Depending on the value of the target, the size of their cracking rigs, the type of hash function used for the password hashes, they may or may not spend the extra time trying to brute force very long passwords. They might even publish the hashes on the Internet just to see if some bored hacker will save them the time, electricity, and trouble.