Are there any known techniques to check strength of passwords stored in database?

Question

I am seeking direction in creating an application that simply checks the strength of the passwords in a database against criterias and also against lists such as: https://github.com/danielmiessler/SecLists/tree/master/Passwords/Common-Credentials

The problem I face is that the passwords are already salted and hashed and I am not sure how to compare and validate the strength of the passwords.

Answer 1

If your passwords are stored acceptably, then the best that you can achieve in storage is a brute force attempt using that password list.

That is to say, take a password from the BadPassword list, take the salt that is stored in the database for that user, apply it to the password you selected then see if the hashes match. Basically your performance is going to be proportional to user count * BadPassword count.

Depending on what you mean by "Hash", with something like SHA-1 you may be able to churn through a surprisingly large number of guesses. But if you are looking at something serious like BCrypt/Argon, it is expensive.

Another thought would be to address the problem on authentication when they next sign in. At this time, you would have the raw password. I would (in context of later sign in) consider using a service like pwndpasswords (or roll the dataset in your own system). Even otherwise measurably good passwords can be bad choices due to credential stuffing. (Think other services that have been hacked exposing the clear text passwords. Not necessarily a common choice, but will be present in these credential stuffing attacks).