The assumption is that you have access to the hashed version of the password. That's not so hard to get from some sites. I have retrieved user-password pairs using very simple SQL Injection in some e-commerce sites(not any the big ones, of course).

The numbers give make no sense, because doesn't state which hash is using, and the difference may be huge:

~/john-1.7.2/run$ ./john --test Benchmarking: Traditional DES [128/128 BS SSE2]... DONE Many salts: 906828 c/s real, 908646 c/s virtual Only one salt: 805504 c/s real, 805504 c/s virtual

Benchmarking: BSDI DES (x725) [128/128 BS SSE2]... DONE Many salts: 31271 c/s real, 31334 c/s virtual Only one salt: 30617 c/s real, 30617 c/s virtual

Benchmarking: FreeBSD MD5 [32/32]... DONE Raw: 8617 c/s real, 8652 c/s virtual

Benchmarking: OpenBSD Blowfish (x32) [32/32]... DONE Raw: 415 c/s real, 416 c/s virtual

Benchmarking: Kerberos AFS DES [48/64 4K MMX]... DONE Short: 186368 c/s real, 186741 c/s virtual Long: 528588 c/s real, 531779 c/s virtual

Benchmarking: NT LM DES [128/128 BS SSE2]... DONE Raw: 6575K c/s real, 6588K c/s virtual

Which I find unbelieveable is that lots of web applications use simple MD5-passwords(not the FreeBSD MD5 based version but just MD5 hashes) without even using salts, which makes them almost instantly crackable using Rainbow tables.