Use of a one-way function with a password file does not eliminate the risks associated with a hacker getting her hands on the password file. Because they need to remember their passwords, users tend to choose common words or names as passwords. A hacker could prepare a list of ten thousand or so commonly used passwords (e.g. a dictionary). She could then apply the one-way function to each of them, and see if the resulting values appear in the password file. Each match gives her the password of a user.
One might argue that the hacker could try out each of the words in the dictionary by simply trying to log in. (This is the view of hacking presented in the movie War Games.) After all, this attack does not require the hacker to access the password file. There are three reasons why this attack is likely to be much less effective than one involving the password file. First, a good computer system incorporates a delay into the log-in procedure: the user is forced to wait a few seconds between successive attempts to log in. Consequently it is infeasible to try out thousands of different passwords. In contrast, the hacker can test tens of thousands of potential passwords each second against a password file. Second, after some user has made numerous unsuccessful attempts to log in, system administrators are alerted that an attempt to break in may be underway. Third, this attack requires that the hacker try each password separately with each user name; according to what we have seen so far, the hacker with access to the password file can apply the one-way function to a potential password just once and then quickly see if the resulting value occurs anywhere in the password file.