there have been a little bit of back peddling on that requirement due to that password managers are equally a risk to your safety online and certainly in many case completely impractical, think computer system, firsts time email login, password manager login
Proper system is inline with my statement
System highly limited to number of incorrect attempts an a secondary key
The regular changes are still recommended as it is irrelevant how looooong the password is. once a key logger, a database breach, reverse decryption or other magnitude means a password is captured by an actor and usable in the highly complex state
a changed password means there is a strict time limit to the actor must used it and the secondary key of now highly prevalent multi-factor technologies . in many cases an enforced requirement of systems you will use.
In fact long complex passwords are useless the new recommendation is to pass phrases with common but unrelated words. such example is
Apples saved the aliens
