It's quite possible, depending on the algorithm used and the size of the attacker. The key-space for 9 characters is 6.37 x 10^17 so assuming it's a SHA256 salted hash then the current bitcoin mining network at 15THash/sec will exhaust the keyspace in 12 hours. The US government can probably do it in minutes. You could rent the current mining network for a small multiple of t 6*50BTC*5$ = 1500$/hour, assuming a market for cracking SHA256 hashes would exist.
To escape even the US government use a 16 character random password not generated by a human (no inter-character memory, characters are statistically independent). That is indeed hard to remember.
You obviously haven't heard of key strengthening.
I am clearly aware of key derivation - that's why I said "depending on the algorithm" and specified the attack scenario. In fact I went as far as as suggesting the best password derivation scheme at the moment - scrypt - to the bitcoin
developers. That would have been even stronger than the dynamic round count they are currently using.
That said, you must realize that you have no control or information over what key derivation scheme sites you visit are using. A key derivation scheme that employs 1 second of CPU time is completely inadequate for a high traffic site - it will bog down the server CPU with a minuscule number of users currently logging in. That's why many sites use simply a salted hash, or a reduced-round variant like the md5crypt that only uses 5000 iterations. That's an extra 12 bits of entropy, but still not enough to protect a weak password.