I am using blowfish in php using the crypt function. I would like to know how long it would take to guess the users passwords if the range of the passwords are 0001 - 9999?
Should I implement another input password value for the user.
This basically gives you 10,000 combinations and it will be quite fast (instant) to guess it.
Check this old table its much faster now Password Recovery Speeds
Testing all numeric passwords of size 4 is extremely fast on any modern computer. You should make sure that your passwords are composed of different characters (upper/lowercase letters, punctuation, special characaters), and are longer (10 characters at least, or even more depending on the sensivity of your system).
See this very interesting article by Jeff Atwood on the subject.
Let's say that you came up with a good combination of hashing speed and usability.
more hashing time =~ more brute-force resilient
But at the same time
more hashing time =~ less usability
Assuming you made some compromises and decided that it's okay for a password checking logic to take up to 5 seconds (you did that with a large number of iterations, meaning you hashed the password many many times).
Time to break (in hours) = combinations * hashing_time (in seconds) / 3600 (+ looking up time, trivial)
Let's try it
Time to break (in hours) = 9999 * 5 / 3600 = roughly 13 hours and 48 minutes
So bottom line, follow @Wookai's advice, don't use short numeric passwords.