Cracking corporate passwords is different than cracking public MD5 leaks off of pastebin. Corporate passwords are not in the same formats you are used to, they require capital letters, numbers and/or special characters.
This video by Rick Redman from DerbyCon 2013 discusses:
- How can we use this knowledge to our advantage?
- What sort of tricks are users doing when they think no one is looking?
- What other types of vulnerabilities is a password policy introducing?
- What patterns is password rotation policy creating?