I agree completely on performing password audits. PWDCOMPARE, however, is good for a first pass but not for the only pass. If you can find a password with PWDCOMPARE and without prior knowledge of the password, it's absolutely a worthless password. If you can't find it with PWDCOMPARE, you have no knowledge of its strength - it may still be an absolutely worthless password.
For actual password auditing, I highly recommend using dedicated tools like Hashcat[/url], preferably with at least one modern, up to date graphics card (or NVIDIA Tesla card, for the industrially inclined or Amazon cloud renters) - note that SQL Server 2012 support is being added. Note also that cracking speeds against with a single machine in the $4000 price range for SQL Server 2005 through 2008 R2 passwords is now in the range of 22000000000 password attempts per second (yes, that's twenty two billion attempts per second, i.e. a one hundred thousand word dictionary with 220,000 rules applied every second... so putting three numbers at the end of a common word isn't going to help you much!).
Note that that rate allows brute force exhaustion of the entire 95^8 space (8 character cryptographically random password with all of upper/lower/number/symbol) in only about three days. 69^8 (as before, but only upper or lower case, not both) is exhausted in about 6 hours (generating an average cracking time of 3 hours, and 1 in 10 passwords being cracked in a little over half an hour).
Additionally, you can test the strength of passwords you think are secure (like the immortal "P@$$w0rd", which meets all "industry standard" windows complexity rules, and its children, "P@$$w0rd1" through "P@$$w0rd123", and all of which are some of the absolute very worst passwords in the world), with code similar to what I posted at the beginning of this year:
ETA: Added brute force timing notes.