I was watching a security vid on Irongeek the other day (I immediately lost track of which specific vid, unfortunately) where the creator gave some interesting advice about doing live password guessing against a remote machine during a pen test. The advice was this: using the "traditional" approach of picking one or a few user accounts and then hitting them with a sizable dictionary of common passwords is usually a poor way to go about things. As an alternative, the author suggests what is basically the opposite approach. Meaning: choose a very small database of the most common passwords and run it against a large list of users. The argument being that you're more likely to be successful, in terms of breaching at least one account, if you try 100 extremely common passwords against 100 accounts than if you try 10,000 common passwords against one account.
My question: what are the advantages and disadvantages of using this approach in a password audit or pen test vs. the approach of attacking one/a few accounts in-depth? The most obvious disadvantage is, well, obvious: if you want or need to target a specific user's account this approach is probably off-the-table. On the other hand, it does seem plausible to me that if you're just looking for gaining entry into one or two accounts of any kind in an organization that has, say, at least a few hundred users this might well be a more effective tactic. And maybe, in some circumstances, it might also make dealing with login-attempt throttling/ lockout protections easier.
But my personal expertise in password hacking isn't very deep. So, I'll ask those who know more than I: What are other significant practical advantages & disadvantages of using this approach vs. hitting a few accounts with lots of passwords? What are some other common circumstances where it does make sense to use one tactic or the other?