I have no interest in arguing on the Internet, but you sound so sure in what you're saying and it goes against what I understand of password cracking. I'd like one of us to find they're wrong and learn from the other.
I am a naive, arrogant 20 year old with no real experience with crypto-security.
You absolutely have a deeper understanding of this topic than I do, and my condescending tone was unjustified.
I'm full of shit, but I'm genuinely excited by this topic and your thought-out reply was appreciated more than I can express.
If it took thousands of years, it would take thousands of years when you log into Netflix, right?
I don't think it's the same in that direction, because when logging in, the user provides the secret in plaintext right off the bat.
Turning a hashed password into plaintext is what takes a very long time.
It can be done quickly using rainbow tables, which salt prevents. Or brute-forcing which I believe bcrypt would prevent.
Bcrypt does more than simply salting the password.
From wikipedia:
Besides incorporating a salt to protect against rainbow table attacks, bcrypt is an adaptive function: over time, the iteration count can be increased to make it slower, so it remains resistant to brute-force search attacks even with increasing computation power.
So, given the method you described:
I take my dictionary and apply the salts. Then I hash each password & salt and compare with the password dump.
Would bcrypt prevent your dictionary attack in any way?
Instead of trying multiple passwords on one account; try one or two passwords on thousands of accounts. Eventually, you find one with a weak password.
I didn't think about that, especially with multiple IP addresses. But I consider that a pretty long shot with a low chance of success.