To avoid the situation were people choose weak password, there is a simple solution.
Do not let them choose. The client should generate an account itself.
It would be like the bitcoin private keys. Hidden from the user, unless he's looking for it.
But to do that, then you need a wallet. That's because the user will not be able to memorize the key.
Nxt doesn't have a wallet.
Somebody earlier in this thread suggested to make composite passwords
with separator character or withoud it anyway.
1st part is user pass that he chooses and
2nd part is randomly generated by the client software.
NXT pasword = 1st_part+2nd_part
2nd part is encrypted and stored locally on the machine in "wallet.dat"
or how you would like to call it but 1st part is never stored.
To unlock the account user needs to enter 1st part in the client software
then the client will retrieve the 2nd part and concatenate them together.
NXT password will be 1str_part+2nd_part.
If wallet.dat is stollen it wont be possible
to use the password as then would be encrypted and also
the 1st parts will be missing.