Yeah, the only way an attacker has to obtain the password is to hash and check it character by character.
This is called brutforce attack. And this needs a lot of computing power. You can check here how long it would take to bruteforce your password approx.: https://howsecureismypassword.net/