Databases are stored all over, the user creates the md5 from a string and the webpage collect. When you reverse, they only check the hash against the database.

http://www.google.se/search?q=md5+reverse&ie=utf-8&o...

For the simpler passwords, google.

I'm serious, I've had to reverse-engineer projects I've inherited with pre-set administrator users, and simply googling the hashes reveals the password to be "elm", "password", or "9234" or something.

I just googled "md5 decrypt" and used http://www.md5decrypter.co.uk/