先前在「NIST 新的密碼規範」這邊提到了用字典檔避免使用者選擇弱密碼的問題:
When processing requests to establish and change memorized secrets, verifiers SHOULD compare the prospective secrets against a dictionary of known commonly-used and/or compromised values. This list SHOULD include passwords from previous breach corpuses, as well as dictionary words and specific words (such as the name of the service itself) that users are likely to choose. If the chosen secret is found in the dictionary, the subscriber SHOULD be required to choose a different value. The subscriber SHOULD be advised that they need to select a different secret because their previous choice was commonly used.
除了一般的字典檔以外,還要從之前被破的網站取得。這部份的資料可以從 danielmiessler/SecLists 這邊的 Passwords 目錄下取得,資料不算太多,但應該夠用。