<i>The second thing is to fix the password problem. They should force users to create more complex passwords when they log in.</i><p>Seen from a security perspective this adds to the overall security of the site, however most users simply find an easy password that fits the bill. blink182, 123456qwerty, qwerty! - which is almost as easy to bruteforce or keep in a rainbow table as normal dictionaries.<p>You should be aware, however, that password requirements detract from the user experience. When users pick a password for a new account they are at the most crucial part of a website: The sign-up. This is where you can lose people that were otherwise ready to sign up.<p>So it's a trade-off. If your site holds credit card numbers, or other vital information a certain minimum requirement for passwords is certainly in place, but if your site is something like HN, where no valuable information is held, you should probably just let users pick whatever password they like. Worst case they will lose a few comments and some karma.