It’s about attack and defense in the cyber space.
In early days, breaking login is via password brute force attack to try every combination.
Then, password settings are imposed to enforce password complexity, password history, password age, account lock out etc.
Rainbow table comes into the scene. All password combinations are pre-computed into its equivalent hash to match the collected irreversible hash. Break-in is then fast.
Salt and pepper are then added to the password hash as counter-measure to rainbow table.
Pass-the-hash will defeat the salts as the authenticated credential is cached in memory. By installing persistent backdoor and listen to admin login, grab the hash then traverse via the network.
So, the race continues. And no matter how advance the cyber protections are deployed, a negligent user with unattended login session will render all these useless.
Therefore, educating user for proper discipline and usage in the cyber space is the number one defense.