Password policies and best practices have changed. The days of forcing staff to change their passwords regularly are gone. Along with it overly complex passwords that are difficult for people to use.
Today though, recommendations for password policies have been changed to prevent staff from having to change their password periodically. People should only change their password only when they have to. This is when there has been a security incident, such as account compromise, or when they are forgotten.
Another recommendation is the length of the password. More often than not, the passwords you used to use were set to an 8 character string of numbers and letters. We now recommend the longer the better. Did you know Microsoft 365 will accept passwords as long as 256 characters. The more characters the better.
Instead of using complex passwords, like ‘*yE32@tH(aDgt’, the general recommendation is to use passphrases, like ‘1ate2A3BIT4too5much$$’. It’s much easier to remember a passphrase than a complex password. And it is far less likely to be written down on a sticky note stuck to the screen or under your keyboard.