The default password complexity should be changed on new installations. Right now the default is PASS_TYPE_ANY which accepts any password. Instead it probably makes sense to default to at least PASS_TYPE_ALPHA and increase the minimum number of characters in a password.