Getting users to choose secure passwords is really, really hard... No matter how much you try and impress upon them the fact that both their and the companies security relies upon the passwords they choose, they still insit on choosing something like "chocolate" or "bob". With enough training, cajoling and threats you can probably train them to get to something like "P@ssw0rd!", but that seems to be about the best you can hope for.

One solution to this is to regularly audit users passwords -- this basically involves taking the password file (with the encrypted passwords) and performing a modified dictionary attack or just a brute-force attack against the passwords and emailing the users with poor choices.

There are other reasons that it is sometimes necessary to break passwords -- for example I recently ended up with a bunch of Sun Enterprise servers. I mounted the drives under Linux, but wanted to be able to recover the root password so that I could login to the others without having to pull drives, etc.

Password hashes are specifically designed to be computationally infeasible to brute-force, so I started looking into doing this in hardware.