Brute force, since the algorithm for hashing the password would often also be known, or comparison to a previously generated list of password-hash combinations.

You can’t go backwards from a hash to a password, so instead you calculate the hashes for LOTS of passwords and compare them until one matches.

Eg. All I know is that the sum of an unknown quantity of single digit numbers equals 39. I can’t go backwards from 39 to find those numbers, so instead I do this;

1+1=2 no match

1+2=3 no match

1+3=4 no match

…

9+9+1=19 no match

…

9+9+9+9+3= 39 match! Password cracked

Note that something like 5+5+5+5+5+5+5+4 also equals 39. In hashing this is called a collision, it is VERY rare but it actually doesn’t matter to an attacker, both passwords will work as long as the hash is the same.

There are ways to do this other than brute force as shown above, but the process is the same. Calculating LOTS of hashes and comparing them until hopefully you find a match.

It’s the same way someone would brute force your password when they try to just enter it in a login form.

But if you would try to login on a website with “1234”, “1235”, etc. you have to wait a fairly long time until you get a reply and might get locked out of trying because of captchas.

Instead you just do exactly the same but using the hash as a form of verification. You just use “1234”, “1235” etc. and hash them in the same way. If you got a match, you can login! This is so much faster and you will never get locked out of trying since you don’t need to communicate with any server.

A different reply tackled the topic of hash collisions. The great thing: if you find a different password that also creates the same hash (collision), you can use this different password as well to log in, since the server will not see any difference!