I started out with a list of every word in the English language. There are several of these around. You probably won't find these used if you have a policy in place, but if you do the usual @ and 0 substitutions as well, then a lot crawls out. I add words from books on the Gutenberg project. Capitals should be random in a good password, but they usually aren't, so a simple doubling of the list with a capital for the first letter. Then, every time there is a release of passwords from one of the security experts as ASCII files, I update the list to include them. (there are surprisingly few extra strings from this). I never never get the passwords from the hackers, only second-hand from the security experts, and then as plain ASCII.

My only purpose is to check that the passwords are reasonable. I 'm not a security expert and so I don't hack into machines. You only need to google a bit to see that the unsalted hashes are very easily decoded, and there are plenty of utilities that claim to be able to read the more recent salted hashes. I haven't tried one, but I bought a utility a while back when I locked myself out of a SQL Server entirely (long story) and it let me in in a moment by allowing me to change the passwords in windows and SQL Server!