I would like to perform a dictionary attack or, if it is easier an attack directly in the database with my hashed passwords in order to find out which users of my site are using simple passwords.
I will be implementing some complexity rules when creating passwords but I would love to be able to contact the users who have simple dictionary words and ask them to change their passwords.
The database is MySQL with MD5 hashed passwords. The rest of the site is written in PHP.
My assumption is I need a dictionary file and them an automated way to test each word against each user, but I have over 1000 users to look through and I am sure there are well over 10,000 potential words to test so I have no idea of the best way to automate that type of thing.
Any help or guidance would be extremely appreciated.
If the MD5 are unsalted, then you will likely be able to read the weak or only moderately strong user passwords in plaintext by entering the hashes into a online rainbow table, for example: http://gdataonline.com/seekhash.php
A dictionary attacks is not needed then.
If you are using unsalted MD5 passwords in your application, then you should be beaten up with a rusty iron rod of course.