Password Strength Testing Tool - https://bitwarden.com/password-strength
Don't use MD5 and SHA-1 for passwords
Use other hash functions that require more compute power (ie which are slower).
Even if 2 users use the same password, since the salt is different, the resulting hash will be different. This means that to get the password from the hash we need to generate a rainbow table for each salt.
Salts must be:
- long enough to make impractical to brute force or generate rainbow tables
- truly random
See 'Salts Will Not Help You': https://codahale.com/how-to-safely-store-a-password/
How to securely hash passwords? - https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords
Does bcrypt have a maximum password length? - https://security.stackexchange.com/questions/39849/does-bcrypt-have-a-maximum-password-length
Password max length with bcrypt, blowfish - https://stackoverflow.com/questions/24751279/password-max-length-with-bcrypt-blowfish