I know it seems strange to give you a plaintext copy when a semi-strong password is required, and I do know it's a pain to remember... which is why I'm sending plain text copies and asking for a valid email. There will be automated systems in place to let you have your password emailed to you if you forget it. The problem I'm fighting against is not that people will hack your local computer or your gmail account and from there, find a copy of your password and THEN break into your account here. That's the sort of attack likely in a normal corporate/network environment. The problem here is that 2/3rds of the attacks I see against the server are brute-force attacks against basic services such as email and SSH... basically throwing a dictionary against the door. The matter is complicated because these are often done by botnets with a hundred different IPs, and against real account names. Thus, I can't reliably ban by IP, and if I locked an account for X number of failed logins, every legit user would be locked out in a matter of minutes. My only options are to require passwords that can't be guessed by the dictionary attacks, or to require an even more esoteric system of public/private keys... and the latter would only work with SSH, since email doesn't support key-pair authentication.
Oh, and it tests against about 2.4 million "words." That doesn't mean you can't use those words, just that you can't use an easy combination of them. It passes a short sentence-like phrase such as "BigHairyMonkey" with no problem, even though the words involved are some of the easiest/simplest ones in the dictionary. 2.4 million is quick enough in computer terms, but 2.4mil^3 is something around 14 quintillion. An attacker would have to try 4.8 billion per second to crack it in a full year. Given that it won't allow more than one try every second, it would take about 438 billion years, or roughly 31 times the age of the universe. If he tried just letters alone (rather than whole words) it would be over 1 septillion possibilities... I'm not even going to do the math on that! Point is, a seemingly simple phrase is more than enough to defeat these brute force attacks. The situation would be completely different in an office environment, where people could have clues about you and your possible password. If you had a bunch of king kong figures on top of your monitor, "BigHairyMonkey" may not be the best password to keep you from the prying eyes of coworkers. :-)