The term password cracking generally refers to recovery of one or more plaintext passwords from hashed passwords, but there are also many other ways of obtaining passwords illicitly. Without the hashed version of a password, the attacker can still attempt access to the computer system in question with guessed passwords. However well designed systems limit the number of failed access attempts and can alert administrators to trace the source of the attack if that quota is exceeded. With the hashed password, the attacker can work undetected, and if the attacker has obtained several hashed passwords, the chances, in practice, for cracking at least one is quite high.
Other ways to obtain passwords include social engineering, wiretapping, keystroke logging, login spoofing, dumpster diving, phishing, shoulder surfing, timing attack, acoustic cryptanalysis, using a Trojan Horse or virus, identity management system attacks (such as abuse of Self-service password reset) and compromising host security (see password for details).
Common methods for verifying users over a computer network often expose the hashed password. For example, use of a hash-based challenge-response authentication method for password verification may provide a hashed password to a network eavesdropper, who can then crack the password. A number of stronger cryptographic protocols exist that do not expose hashed-passwords during verification over a network, either by protecting them in transmission using a high-grade key, or by using a zero-knowledge password proof.