When my clients create a password, they are shown a strength meter and I have set the requirements fairly high. However, the strength meter is essentially only useful if being attacked by a very dumb brute force cracker. I know for a fact that passwords can be created that are easier to crack with software like John the Ripper. For example, it's easy enough to make sure people aren't creating passwords like "password1", but I need to catch common non-dictionary terms like "NCC-1701-D" (the registry number for Star Trek Enterprise) and other stuff that crackers commonly check for ("qwerty, "asdf", etc). It is my understanding that cracking programs get better as they have access to more cracked passwords (thanks LinkedIn, Evernote, LivingSocial...) because the cracker is able to start with the most common passwords, and even search for common "word fragments" within passwords and add them to the dictionary...
So how can I get access to some of these advanced configurations of John the Ripper--I know the program itself is free to install, but how do I get these advanced constructed dictionaries? Also, what are the security implications of hacking my own accounts? I can't think of how this could really be problematic--unless I store the cracked passwords plaintext or something. Am I missing some obvious problems that this would introduce?
EDIT: I am thinking of generating my own rainbow table for my salt* and then uploading the list of hashes. Then if a user's salted hash matches one from the rainbow table, they're forced to create a new password upon their next login (or even better, it's checked against the rainbow table when they first create it and it gets rejected if there is a match, though I'm not sure if this might be computationally too expensive.)
*D'oh! As pointed out below, that's not how salting works. Is there a feasible way to check passwords against a "password blacklist" without exposing the password in the process?