On the 4 November 2015, two administrator accounts were compromised. It appears that both account had used passwords on Wikipedia and on other sites and one of the other sites had been breached. The highlighted security issue, however, makes this a good time to review our password requirements.
This RfC is to look at what levels of password protection we should require and for what usergroups. I intend to start a similar RfC on meta for global changes to the password policy in the near future. I've also asked the question about two-factor authentication.