Security auditors may use these utilities to test the strength of password policies. By extracting the password hashes from a Windows SAM database, auditors can run brute-force or dictionary attacks against the hashes offline. If the tool cracks the password in minutes, it serves as a reportable finding that the organization's password policy is too weak.
: It cannot "crack" unknown passwords through brute force; it only decrypts passwords that were previously saved by the user on that specific Windows installation. extpassword.exe