Not all users of SQL Server, that use SQL Server Authentication have Query Analyzer installed on there desktop. The kind of users I am referring to our the ones that typically use applications only from an end-user perspective.
Now, if you are using SQL Server Authentication for end-users, and you do feel strongly about requiring the users to do the following you might consider this.
1) Build a web front end that executes a stored procedure that allows users to change there password. The stored procedure would be the one executing sp_password. This stored procedure would also log into a password change table every time the user changed there password. This stored procedure can also enforce your strong password requirements.
2) Every time someone goes through your application to logon to SQL Server you check the password change table to see when they last changed their password. If they haven't change it in say 90 days (your threshold for when a user need to change their password) then you bring up the password change web page and make them change there password before they get into the system.
Gregory A. Larsen, MVP