Password auditing is difficult if users are allowed to choose their own passwords. It's true you can use tools such as Crack to do this, but if your popular password list isn't the same as the one used by your attacker, a password that looks strong to your tools might well be weak to an attacker. E.G, your user's weak password might be a popular password in a language you don't speak and which those compiling your Crack password dictionary don't know about. Fine if you have access to the same auditing tools as your attackers have for attacking you, but it certainly isn't safe to assume that you do. It seems to me better either to generate random passwords for the users, or choose good ones for them they should be able to remember based on what you know about them which attackers are unlikely to know or guess.