NIST now recommends using long passphrases instead of complicated alphanumeric passwords, and only refreshing them if they've been breached.