It would also be very, very, very cool if Dreamhost (since they have a list of old passwords) would, say, make that list all invalid for future use.

We're doing some tough client love right now on security practices, and having a nice hard wall to push off of, namely, Dreamhost being assholes, in a good way, would be a very Good Thing[tm].

We, well, I, have been using sshkeys for access. We actually had one of our accounts request sshkey access as well, which was freaking wonderful. Most are so technically backward that this can't be rolled out globally, though I'd love for it to be.