Have forced 2fa through e-mail for new device/ip location more than X miles away. Users rarely login from a new device, or randomly login from a different country. Tagging those as suspicious and making the user get a code from their email is simple and goes a long way in increasing security with minimal annoyance.
Method wise, you are correct. However, forcing all the users to adopt a new password creation paradigm will statistically make this a very small issue.
I kind of doubt it. People will use the same password on every website, and if you require it to be 4 words, they'll just make it "my password is password" or something. Password requirements don't improve password security. Reuse and phishing are always going to be the main problem.
(Of course, bad passwords are bad. One time I exposed a mysql database I use for local unit tests to the Internet with the credentials root:test. It was hacked in hours, with a message saying where to send bitcoins to get the database back. Slightly stronger passwords do help with that sort of thing.)
If you still use it on multiple sites, and one of those sites is storing it in plaintext, you'll still have the same security issue. Its very rare that someone has broken a password through character-by-character brute force.