Offline password cracking is still very much a thing. They steal the entire password database then crack it offline at their leisure, not live against the regular login.

Several measures are required to defend against this:

• Hash seeds defend against rainbow tables.
• Password length & complexity as well as using computationally-intensive hash algorithms defend against the brute-force cracking.
• Password managers help with length and complexity, sad well as promote not reusing passwords.