I think Steven meant upping the requirements for new accounts only. In
that
way nothing gets broken immediately. I'm still not absolutely convinced this is more useful than a hindrance if we clearly inform the user about password strength when they set them (see my earlier post about "this password can be brute forced in x"). If users are then not deterred from setting their password to "wiki", apparently they didn't care, as we told them how easy it is to brute force.
I think such statistics are misleading. Why would an attacker use brute force over a dictionary attack?
-bawolff