Makes me wonder if the responsible thing to do when running a web service is to constantly dictionary-attack and brute-force your own server, and whenever it gets a hit, email the user and force a password change. In theory, the userbase would evolve towards better passwords over time.