First, we check the most used passwords in a big dictionnary.
Any hash algorithm (such as MD5) computes a "fingerprint" proper and unique to each string.
The problem is that being a fingerprint, it doesn't contains the information (the string) itself. so you have to check the fingerprint for all existing characters in all possible combinations (brutforce method) and compare it to the one that was given.
It starts with the md5 check of "a" and "b" [...] "aaaaaa", "aaaaab" etc ... comparing it to the given string.
There are 255 possible computer characters. We must divide the number of operation to be performed, by the processor frequency.
For 1 character, we will have 255 possible combinations, or 255 operations.
2 characters, it will be 255 ^ 2 = 65025 possible combinations.