It's been awhile, but I know there were various LANMAN attacks and such that made cracking windows passwords really easy. It's always a cat and mouse game, hell, I remember being in College hearing how MD5 was uncrackable, could only be brute forced, by the time I graduated MD5 hash collisions trivialized all that.

A lot of times shitty companies hide their multimillion dollar software behind simple security through obscurity bs. I've cracked multiple HASP dongle programs that only had simple test donglestatus, jne nodongle almost everytime. The most complex dongle I defeated took me about 10 hours. I created my own dll injection and overwrote most of the HASP API so that I could provide my own responses (luckily they didn't hide any code on the actual dongle as that was MIA), all the information on how to do that was part of the HASP API, just had to find the proper calls and replace em with my own functions returning bullshit that's similar.

I've had to go in and do some database modification for apps that didn't allow me into the database, it'll be existing in plaintext in some form or another (sometimes can just capture the SQL opening up the database, but usually it's also just hiding in plaintext somewhere).

That being said, our admin's Windows NT password was ~13 characters, couple special chars and took about two weeks with a few of our geeks in school dividing our awesome Pentium 2 power at home running l0pht against it in the late 90s.