Complexity rules are bad for your company
Password expiration is useless (and in some cases, actively bad for your company)
Password managers are good
Soooo basically everything people have been saying for like a decade now.
I’ve been reading some concerns about, for example, Windows login credentials being password1 forever with these new recommendations. Some of the counter arguments of SAs who have been relatively successful in encouraging their users to select a character on their keyboard, enter it X number of times, put in whatever password they want, and follow it up with another X entries of that character.
This strikes me as an interesting way to thwart mask attacks. Maybe a password is simple, but you’ve got unknown garbage to deal with at the beginning and/or end of the simple password, and you don’t know how much garbage.