There are many factors to take into account when attempting to answer your question.
What password change policy do you currently implement? For instance, are users required to set passwords that don't include their name (if you know it), their account name, etc.?
What other security measures are you currently implementing? (Are the error logs being regularly reviewed, etc?)
Is password security your biggest issue, or do you have other CGI issues? Is anyone other than the developers auditing the code?
Are there web server configuration issues that affect the security? (Are databases available via http, for instance?)
You may be the only one with the information necessary to answer this question. There are quite likely other folks that you work with who can take a look at the service security. You have to assess the risk of password compromise against the risks of other types of compromise of the server and service.
in reply to Why do you have to worry about Brute Force Attacks?