Apparently Brion ran at least once a "password cracker" (http://meta.wikimedia.org/wiki/Talk:Stewards#Proposed_security_policy). While that's useful to identify vulnerable accounts, it is perhaps best to enforce minimum password strength from the get-go.
This extension should have the ability to
*force users to reset their password every X timespan
*~~enforce minimum password length~~
*enforce varying levels of password security by user group (ie admins have an intermediate level, stewards must have a high level)
*T11838 Send notification to account owner on multiple unsuccessful login attempts
*maybe other stuff I've not thought about