You are still not understanding how these offline attacks work.
Assuming that was a hashed password (it is not), the way that these boxes crack it is they hash all possible passwords and test the resulting hash to see if it matches your hash. When they find an input that matches your hash, they have "decrypted your password".
What an offline attack does not do, which is where you are mixed up, is try to log into Facebook/Twitter/etc. over and over trying different possible passwords. Some other security breach reveals the stored hashes of user passwords, and that stolen list of password hashes is what gets run through these systems.
Then, when they find a batch of inputs that hash to some of the stolen hashes, then they start trying those both at the site of the breach, and at other sites, often to great success, because they never trip the "10 test attempts" (they have an input that works, first time) and due to the all too common reuse, learning a users craigslist (for example) password is often enough to gain access to their gmail account.
> they hash all possible passwords and test the resulting hash to see if it matches your hash.
This is the key thing to remember. There is no requirement that the password cracker needs to find exactly the same thing you would type for your password, they only need to find an input that has the same hash as your password. You can think of it like an alternate password; there won’t be any way for the site to distinguish between the real password and the alternate(s).
They key to a good hash algorithm for passwords is to make collisions rare (this is accomplished by making the hash longer than the average password; the more bits there are in the hash the rarer collisions will be) and to take a long time to compute (usually by adding rounds to force the attacker to take more time on each input).
When they find an input that matches your hash, they have "decrypted your password".
So correct me if I'm wrong but in order for this to work, the cracker will need both my hashed password AND the hash algorithm that was used AND any salt that was used for the hash.
Why does he need to crack anything --- it sounds like he already has full access to my system?
If by "your system" you mean the one PC upon which you are typing your comments right now, the provided you have used a unique password for that system, and only that system, then yes, by the time they have the hash and salt, they've already gained access.
That's a targeted attack, and that is usually not the direction these GPU Hashcat rigs are aimed.
Instead the attacker is merely playing the odds. Those odds being that a rather good number of users of system X (gmail, for example) will reuse their gmail password at another website (Experian, for example).
So they will target that other website (Experian) and when they find a breach, will hoover out the user names, password hashes, salts, and will know the algorithm Experian used (because somewhere in the data trove they hoovered up, the algorithm was indicated).
They will then set their GPU Hashcat rig upon the Experian breach data, looking for input strings that hash to stored hashes from their data. They don't care which individuals, they care that they will find working password inputs for, say, 15% of their breach data. If their experian dataset was for 50M users, a 15% success rate gives them 7.5M pairs to use further.
Then, armed with user names and working passwords from their Experian breach data they set out trying those users and passwords against gmail. They don't trip any "ten tries and you are out" traps because they only do one try per cracked user/password pair. It the user/password pair fails they simply move on to the next user/password pair. But, if the user/password pair works, then they have now breached someone's gmail account, and can now set out about taking over their other accounts (because gmail is often their recovery email for those other accounts). Some of those other accounts will be the crackers real target, those userss banking/financial accounts.
But the crackers don't care who they are targeting, just that 15% of their Experian data will yield useful pairs, and that 15% of those pairs will work when tested on gmail (15% of 7.5M is 1.125M working gmail accounts they can take over). And that 15% of the gmail accounts they breach will have banking/financial accounts they can do a password reset upon (15% of 1.125M 168,750 users). And even if each user yields merely an average of $1k, that works out to a very nice take of $168M for the crackers.
> Why does he need to crack anything --- it sounds like he already has full access to my system?
They're not interested in access ingredients. They usually either break into a company's systems and extract the hashed and (hopefully) salted passwords or buy a hashed password dumb from places like breached.to or cracked.to, and formerly raidforums.com.
They don't need access to your computer. They want to get access to as many valuable websites as possible and sell those account or (in rare cases) extract personal information such as Credit Card details or PII used to impersonate you.
There’s multiple inputs that can get the same hash. Say if your hashed password was 7, and that came from 2+5. Someone bruteforcing can input 6+1 and get 7, also. They don’t need to know what your input was, they just need to find an input that hashes to match the hash of yours.
Assuming that was a hashed password (it is not), the way that these boxes crack it is they hash all possible passwords and test the resulting hash to see if it matches your hash. When they find an input that matches your hash, they have "decrypted your password".
What an offline attack does not do, which is where you are mixed up, is try to log into Facebook/Twitter/etc. over and over trying different possible passwords. Some other security breach reveals the stored hashes of user passwords, and that stolen list of password hashes is what gets run through these systems.
Then, when they find a batch of inputs that hash to some of the stolen hashes, then they start trying those both at the site of the breach, and at other sites, often to great success, because they never trip the "10 test attempts" (they have an input that works, first time) and due to the all too common reuse, learning a users craigslist (for example) password is often enough to gain access to their gmail account.