I have no interest in arguing on the Internet, but you sound so sure in what you're saying and it goes against what I understand of password cracking. I'd like one of us to find they're wrong and learn from the other.

I am a naive, arrogant 20 year old with no real experience with crypto-security.

You absolutely have a deeper understanding of this topic than I do, and my condescending tone was unjustified.

I'm full of shit, but I'm genuinely excited by this topic and your thought-out reply was appreciated more than I can express.

If it took thousands of years, it would take thousands of years when you log into Netflix, right?

I don't think it's the same in that direction, because when logging in, the user provides the secret in plaintext right off the bat.

Turning a hashed password into plaintext is what takes a very long time.

It can be done quickly using rainbow tables, which salt prevents. Or brute-forcing which I believe bcrypt would prevent.

Bcrypt does more than simply salting the password.

From wikipedia:

Besides incorporating a salt to protect against rainbow table attacks, bcrypt is an adaptive function: over time, the iteration count can be increased to make it slower, so it remains resistant to brute-force search attacks even with increasing computation power.

So, given the method you described:

I take my dictionary and apply the salts. Then I hash each password & salt and compare with the password dump.

Would bcrypt prevent your dictionary attack in any way?

Instead of trying multiple passwords on one account; try one or two passwords on thousands of accounts. Eventually, you find one with a weak password.

I didn't think about that, especially with multiple IP addresses. But I consider that a pretty long shot with a low chance of success.