I guess attacker can find a collision to hash (using bruteforce), not real password (because real password should be very strong)
I guess attacker can find a collision to hash (using bruteforce), not real password (because real password should be very strong)