I'd assume that's what they're talking about with the 'use blacklist'. It'd be easy enough to occasionally repopulate it with "obvious" or known-compromised passwords that turn up.

Likewise, I assume they're keeping that list semi-secure to avoid black-hats/kiddies getting their hands on a list of really good passwords to throw into their cracking engine ruleset.