To test the passwords, the auditor general's staff compiled a dictionary of common weak passwords from pentest resources, and tested those against 520,000 current and disabled accounts on WA government systems.
If the system even allows you to attempt that sort of crude dictionary attack... Wot, no timeout between failed login attempts? No maximum number of failed logins before locking the account? I don't know if any kind of "strong password" policy could compensate for those weaknesses.