I think the assumption here is that the password isn't an MD5 hash, but instead something a little more resilient. If it's MD5, you're probably screwed anyway.
Because algorithms like bcrypt have a computational difficulty parameter. You can dial it up so that every check takes something ridiculous. Now instead of brute forcing all of those possibilities in 10 days, it's 1000 centuries.
Hash functions are designed to be fast, to use them in stuff like hash tables, hash structures, checksums etc when the faster the function the better (as long as it doesn't have too many collisions). If you transfer data fast and need a lot of checksums or if you do operations on hash structures your goal is speed.
On the other hand with passwords you don't want hash, you want encryption and preferably encryption which is very difficult to calculate as encrypting passwords is rare operation and could take those extra CPU cycles for normal use but which is crucial to make it difficult to crack by brute force.
apg is another good one, and if you call it with no arguments, it defaults to 'complex passwords with memorable syllables' (eg "zuWeebsIbep3 (zu-Weebs-Ib-ep-THREE)").