[eluser]bretticus[/eluser]
good question, there is the possibility of a short password being cracked by brute force alone (not against your login but if someone with malicious intent gets your data.) Not really sure, but I see a lot of password policies being 8 or more numbers and letters with at least one capital and one punctuation character (!@#$%^&*())
I was thinking, surely, one of these dictionaries or rainbow tables exists for download somewhere. Why not get that and check against it. If it were a plain text dictionary, you could gen a rainbow table using your hashing salt. If you get a match, tell the user his or her password is too weak (that ought to drive them completely nuts.)