While it is vital that you first protect your site from brute force attacks(lockout) a dictionary test is actually quite good and can assist users by informing them they are using weak passwords.
Another argument that can occur is to not allow user signups with weak passwords. If you choose this method then I am of the ilk that you are doing yourself and the internet as a whole a favor. The standard user would argue against this though and there is the potential loss of users/customers.
Depressingly most will ignore it, but some will listen. Anyhoo. Down to code :)
So firstly build your password list, it does not take a genius to google for one. We will pretend that list.txt is your password list.
Edited: Implemented various rules to generate passwords from passed string so that even if we only have a relatively weak password list we can return multiple versions of it.
$users = array(); // Fill it via any means you want, we will
// pretend its an array of username + password
foreach($users as $user) {
// We are going to loop through each line in the list and
// then check it against the password
while($line = fread('list.txt')) {
$hashes = $this->hashPassword($line);
foreach($hashes as $hash) {
if($user['password'] == $hashedPassword) {
echo $user['username'] . ' has a weak password of ' . $line . '<br>';
}
}
}
}
function hashPassword($password) {
$simple = hash('sha256', $password);
$numberReplace = hash('sha256', str_replace(array("o", "i", a"), array(0, 1, 4), $password));
$stupidUserPassword = hash('sha256', ucfirst($password) . "1");
return array($simple, $numberReplace, $stupidUserPassword);
}
This is but one example so look at some other answers too which might be helpful. Any questions feel free to ask.
Edit 1: Awesome commentor spotted a flaw in my logic, tbh it was a fairly horrible flaw - cheers.
Edit 2: Google rainbow tables and how to generate for your particular needs. Pre-hashed lists that would speed up this execution if you are really hardcore about it :)