Comment Re: There we go again (Score 2) 383
The point he was making is that with proper procedure, a hash could never be attacked offline. As soon as the hash database were compromised, all hashes contained therein would be invalidated. The attacker could brute force that database to their heart's content, and no valid passwords would ever result from it.
This of course assumes the administrators are paying close enough attention to notice in short order when the database has been compromised, and that all users define a secondary means of contact through which to send a reset password. It also ignores the issue that most users use the same username and password across multiple sites, such that a pair compromised on one site and invalidated as described would still be valid on another site.