If the password hash is included in the cookie, you could see its character length to figure out what algorithm is is hashed with (MD5, SHA*, etc.), then if it hasn't been salted and is relatively simple, it could be entered into a rainbow table password-cracker. If not, it's good old brute-forcing for you; that's if you've got a spare computer and days of waiting for the possibility that it is a short password.

But then again all that is pointless, since you can probably set it as your own browser's cookie and simply steal their session.