Any length password protected windows 7 box can be opened in about 30 mins if you have physical access.
I wouldn't be surprised at all if only so many bits of the password is included in the hash. This used to be the case in some unixes. The password "mypasswo" would work just as well as "mypassword" or "mypasswokjshgtkjhgfkjletkgjhg" because only the 1st 8 characters were included in the hash. (really dumb idea)