I think Steven meant upping the requirements for new accounts only. In
that
way nothing gets broken immediately. I'm still not
absolutely convinced
this is more useful than a hindrance if we clearly inform the user about
password strength when they set them (see my earlier post about "this
password can be brute forced in x"). If users are then not deterred from
setting their password to "wiki", apparently they didn't care, as we told
them how easy it is to brute force.
I think such statistics are misleading. Why would an attacker use brute
force over a dictionary attack?
-bawolff