Any password strength estimator worthy of the name ought to hardcode a list of those 10,000 passwords and disallow any of them. Add in standard algorithms and you're probably doing pretty well.
But would that decrease your conversion rate for your site/ application?
There is a line between gracefully telling your user their password could be better for their own security and irritating them enough to leave your site.
To be honest, while most everyone here knows more about password security, most of us that do not use a password manager probably have a couple simple go to passwords that we use to try out all the apps HN users dream up and share. (...and more secure passwords when needed)
