22
No your metod is very good too
But, force users change simple password is necessary.
Well, dependencie of site too.
[Edited by Giba]
I am analysing for parameter in admin area for test password users.
if simple password, change e-mail for change in 30 days.
if user not change password after it day, and not login in site, disable account/login this user, and send e-mail with this information.