Password crackers work in generally one of three ways. Many modern cracking tools operate in all three methods, just not at the same time.
Dictionary attack
In a dictionary attack, the password cracking program uses a wordlist(s) called a dictionary. It takes each phrase, hashes it and compares that to the encrypted hash of the target. This is incredibly fast. A 2001 machine could test over 35 million phrases per second. That is more words than in the english language. Imagine what modern computers with fast GPUs can do. This allows crackers to use larger dictionaries, which they expand based on their knowledge of human behavior. They know people like to add a number around a word, so instead of the dictionary having just "flower" it will have "flower1" "flower2"..."flower56" "1flower" "2flower"..."56flower" etc
Brute-force attack
A Brute-force attack will try every possible permutation, within a "set", hashes each permutation, and compares the hash to the hash on the target, until it has found a match. A "set" are the parameters the attacker tells the cracking program to use. The attacker may tell the program to use lower-case alpha, UPPER-CASE alpha, 0123456789, with a maximum password length of 8 characters. The program may start "aaaaaaaa", "aaaaaaab" etc until every possibility has been tried or a match found.
How many possible passwords is it?
If you have a 4 digit(numbers) password, say the PIN code at your bank, that is 10,000 combinations possible. Explained: You have 0001 through 9999, that is 9,999 possible. Add 0000 as a possibility and that makes 10,000. Another way to express that is this: For each of the 4 positions, you have a maximum of 10 possibilities, the digits, 0 through 9. 10 possibilities in 4 positions is 10^4 (ten to the fourth power), or 10 x 10 x 10 x 10, or 10,000
With me so far?
Now lets add some lower-case alphas. 26 letters in the alphabet, plus the 10 digits, makes 36 possibilities for each position. That 4 character password can now be expressed as 36^4, or 1,679,616 total possibilities.
Lets add UPPER-CASE alphas. That is another 26 letters. So 26 UPPER-CASE, 26 lower-case, and 10 digits, is 62 possibilities. That 4 char password is now 62^4, or 14,776,336 total
Lets add some symbols. !@#$%^&*() -_=+[]\{}|;':",./<>?~ Just using the ones on the keyboard, no high-ansi symbols, this gives 90+ possibilities. It may be 91 or 92, depending on if the grave accent ` or other characters are allowed. Space(the space bar) is also a special character and is allowed in some passwords. I generally use "90" as my number for calculations here, as there are often a few char not allowed in a password.
So now with 90 possibilities that 4 char password is now 90^4, or 65,610,000 total
This may seem like a lot, but a computer from 2001 could brute-force over 10 million passwords a second, that would take under 7 seconds. Modern machines and GPUs crack in the billions per second. Modern cracking programs boast they can check over 2.8 billion keys per second. EFF built a dedicated password cracker(high-end hardware) capable of cracking over 90 billion keys per second. Add distributed computing(the ability to use more than one machine simultaneously to accomplish the same task) and those numbers shoot up.
So what do we do? Give up? NO! Make stronger passwords!
Lets use that 90 possible from earlier, and make the password longer.
8 char pass, 90^8, 4,304,672,100,000,000. That over 4 quadrillion
8 used to be the recommended minimum. Now, 12 is the new 8
12 char pass, 90^12, 282,429,536,481,000,000,000,000, or 282+ sextillion
Now we're talking, right? Well divide that number by the measly 10,000,000 passwords per second that my old 2001 machine could crack, and that is 28242953648100000 seconds, or 895578.18 millennium, or 895,000+ thousand years.
Using 3 billion keys per second, a conservative number that most modern hardware can hit, that would take 2985.26 millennium
Much better
What can we learn from this? The trick to defeating an attacker using a password cracker, is to use a strong set. No attacker has millenniums to find a password, so they crack based on smaller sets. Password crackers rarely go after symbols, they will crack on a 62 char set, the 26 UPPER 26 lower and 10 digits, and usually for a length shorter than 12 char. Changing your password with some regularity will also help defeat them, as the password they are working so hard to crack has now been changed.
You may be saying "I can just blank the password with xyz tool" and you certainly can. But if there is encrypted data tied to that password, blanking the password will not give you access to that protected data. If stealth is a goal for the mission, blanking the password will not go well, as the target will know the password has been changed.
HASH attack aka Rainbow Table attack
The third method used is a combination of the first two. In a hash attack the cracking program loads pre-computed hashes, and compares those to the hash on the target. These hash tables, or rainbow tables as they are often called, use each possibility for a set, like brute-force, but those possibilities are hashed, and those hashes are what is loaded in the program. The program then just compares the hashes to the hashes on the target, much like a dictionary attack. It is actually faster, since the hashes(words) in the hash table (dictionary) do not need to be hashed, they are already hashed.
I do not have stats on the speed of hash table attacks, but they are amazingly fast
What is HASHING?
Think of hashing as one-way math. The data, or password in this case, in run through a hashing function or algorithm, which is a mathematical formula where it is difficult to derive the original data(password), given the output of the function(called the "digest") and knowing the formula for the algorithm. MD5 and SHA-3 are examples of hashing functions(algorithms).
