Another idea might be to for the software to offer to create a random
password for users at account creation time, and also to make the same
offer at password change time.
For example, even using automatically generated simple-looking and
reasonably simple passwords like "little-center-ground-finger"
consisting of 4 words between 5 and 8 characters long, will give an
effective per-password entropy of 62 bits, significantly better than
most user-generated passwords.
Neil
If we did this it's worth pro-actively making the wordlist "hard".
For
example, the words chosen above appear in the top-1000 most common English
words, and so therefore are trivially vulnerable to dictionary attacks
(hackers read XKCD too :)).