Before using brute-force approaches (as covered well by others here), check whether there are direct preimage cryptanalysis attacks on the password hash algorithm used for the hashes you have - whether it has been "broken" for password hashing purposes. If it has been broken, that may be a much faster way to recover good passwords, though brute-force may still be faster for weaker passwords.

For example, the original 16-hex-byte MySQL hashes are based on a terrible custom hash function which has been broken twice such that passwords can be recovered for all hashes in less than a second, as documented at [MySQL OLD_PASSWORD cryptanalysis?](http://security.stackexchange.com/questions/3133/mysql-old-password-cryptanalysis)

Another example is [LM hash](http://en.wikipedia.org/wiki/LM_hash). Although the underlying hash primitive they used was DES (which doesn't have any practical breaks), the way they used it destroyed the overall strength of the hash.

Note that MD5 has been broken for collision attacks, but not for preimage attacks. So for now we know of no direct attack on MD5-based password hashes and must do brute-force or rainbow. Nevertheless people are now very suspicious of MD5 and it should not be used for password hashing.