Re: "Unless there is reason to believe a password has been compromised ..."
One answer would be to check passwords, as they are changed, against the compromised list from Troy Hunt - he has an API for this - and tell users to pick again if the password is on the compromised list.