It would probably be better to provide the customers a separate tool and instructions on how and why to use stronger passwords.  Surely the customers have passwords on many websites.  I hope they aren't all the same!  
And yes, some customers won't care. All we can do is guide them in the right direction.

And if your Surgemail is set to limit the number of password guesses to 5 or fewer (Limits section of the Spam control page) the customer accounts will also be safer from threats.

BarryZ