Turns out there are plenty (according to Ars Technica) of password “recovery” tools out there. They use graphics cards to do the work. A good example is that with two graphics card, it takes 56 seconds to crack a random 8 character password! Wow, makes you really think about how passwords are being used particulary given everything that is stuffed in the cloud. Hashcat is an example is a good example of an open source tool. It knows a bunch of password algorithms (from Windows to SQL Server) so you just run it against a hash and then see what the password is. The thing is completely offline so it is pretty amazing.
overview — bruteforcing an 8 character password consisting of a-z, 0-9 (2,821,109,907,456 possible combinations) estimated time to run thru the entire keyspace was 10 minutes. the actual time it took to find the password was 56 seconds (see below).
