Cracking passwords on modern Linux distributions is excruciatingly slow. Once you are root, the most reliable way is to backdoor the system (or strace it) and wait for somebody to log in. The laziest way is to gcore gdm-session-worker or gnome-keyring-daemon, string the core and use it to build a wordlist.
I suggest you use gdm-session-worked as it is much more smaller, contains the login password, and will produce a wordlist of less than 6000 words.
Of course, it would be much more effective to check how each program accepting passwords handle the cleartext, but it is just not lazy.