A few notes not in the post, but I wanted to mention:
Running a long term password crack on your primary GPU (the one used to drive your video) is … surprisingly painful. Even with hashcat on “multitasking friendly and slowest” mode, video performance becomes incredibly sluggish. If you really want to do a long term (as in weeks, not days) password cracking project, you DEFINITELY should to build a dedicated machine for it, in my opinion. Way way too painful on your primary machine.
Speaking of password hash cracking "in the cloud 
", Amazon’s GPUs are super anemic. One GTX 1080 Ti is worth more than three AWS G2.8xlarge instances!
Hashtype: PBKDF2-HMAC-SHA256
9473.2 kH/s 8x 1080
3737.4 kH/s 16x Tesla K80, p2.16xlarge
1730.9 kH/s 1080 Ti
1173.1 kH/s 1080
883.3 kH/s 1070
594.5 kH/s RX 480
459.6 kH/s 4x GRID K520, g2.8xlarge
304.7 kH/s HD 6690
114.8 kH/s GRID K520, g2.2xlarge
See more info about Amazon’s G2 instances and compare pricing… right now the g2.8xlarge is $2.60 per hour, or $62.40 per day. There is apparently also a new P2 instance type which has up to 16 Tesla K80 GPUs which is a little better. The 8x is $7.20 per hour, and the 16x is $14.40 per hour.
I do believe blocking the top X most common passwords is the best and most efficient strategy, but it is concievable you could run an automated, regular offline GPU crack attempt on all accounts, and then auto-reset passwords of those users whose passwords can be easily cracked. I would allocate at least one hour of GPU time per account, and obviously you’d want to use popular wordlists and masks to do so, brute force is out of the question. Another very clever idea, but it would not be trivial to set up.
Finally, when it comes to password generation, obviously in a perfect world we would all use magical perfectly random password generators. Barring that, for human generated passwords, I have some suggestions:
-
if you use a dictionary word, insert something random inside the word to make it no longer a dictionary word
-
avoid “number at the end” or “number at the beginning”
-
avoid “capitalize the first character”
-
try to fold something site-specific into your password for that site, as a kind of “site hash”. Don’t just concatenate words together though – insert one word at random within the other.
Let’s say you were generating a human password for, I dunno, reddit. Rather than
Redditmonkey1985
do
reddMon5891keyit
Break up the dictionary / site-specific words, capitalize other than beginning, and put the number in somewhere other than beginning or end.