It's not your job to make sure users are smart enough or care enough about their own security. Your job is just to make sure that you do what you can to ensure their data is safe on your end. If their account gets compromised due to their own stupidity or mistake (e.g. being duped by a phishing site/e-mail), well, that's their own fault.
I'm no security expert, but to me this means a few things, and probably a few more things to an expert:
1. Make sure you store their password using a known-safe encryption algorithm.
2. Don't transmit the password back and forth in plain-text (use https or a hash or token or something).
3. Allow secure passwords. You wouldn't believe (or maybe you would) how many sites limit the length of your password to only 8-12 characters, which can only be alphanumeric. Not that hard to brute-force...
4. Put measures in place to prevent brute-force, such as temporarily locking an account or requiring additional verification after x attempts in y minutes.
Once you've done all you can on your end to ensure that people can't get the password from you, then that's all you are required to do, as far as I am concerned. Although, I suppose at that point it would be safest to assign a password for the user but allow them to change it if they choose to do so.
Another, third option would be to e-mail them a temporary password and require them to change it or assign a different permanent one when they first login. That way even if the e-mail gets compromised, the password will definitely not be the same if the user has ever logged in.
I used to use the same password on just about every website, but then once Gawker had their data compromised due to a stupid security flaw on their end, many of my accounts became compromised.
That's bad on me because I used the same password on many sites, but terrible on their part because it was them
that allowed my password to get leaked, not me. Nobody brute-forced it or guessed it or based on information that I made publicly available. It got into the wrong hands because Gawker didn't store it securely.