Passwords are the weakest link in any network configuration. Recent breaches have shown us some large databases of passwords and upon analyzing those passwords we have discovered that password policies are not working. Even with strict password policies in place, humans are creatures of habit and will construct passwords in the same way every time. These types of patterns are easily guessable. During this talk we will analyze the cracked passwords from 4-5 of the largest breaches in 2010-2011 including the rockyou breach, Gawker, rootkit.com, eharmoney and a few others. We will look at the most common patterns and then we will look at attacking them form a pent esters perspective. This talk will also cover some of the more advanced password cracking techniques currently used in today's penetration tests.