It seems crazy that Qwerty1234 and Qwertyuiop1 aren’t in the list of 10k most common passwords.
The gains from many recent hacks are publicly available containing hundreds of millions of actual passwords-- check out weakpass.com for example. In their top 100k login list, qwerty1234 was 2k in and qwertyuiop123 37k in.
Part of the answer might be to block more of these terrible passwords. Scanning down the weakpass.com list past 10k, I see awful passwords like “thunderbird”, “jediknight”, and “imhorny” all the way down at 19k.
But that won’t do it-- down at 26k is qq123456789. Perhaps login to block sequenial number sequences makes sense, too. And keys in sequence and/or repeating on a qwerty keyboard, like at 97k, “asdasdasdasd”. But you can keep going down the rabbit hole with that sort of rules-based classification and eventually you end up writing your own Spamassassin only to be obsoleted by a machine learning bayesian algorithm shortly thereafter.
It’s great that you’re making it harder to hash, and Imma let you finish there, but in addition to that, to best serve your users, you should support two-factor authentication and make it mandatory for admins and moderators (where you host) and both strongly encourage it and make it very easy to implement elsewhere.