Complex passwords that must be changed every 90 days are the bain of most companies and a headache for employees and they are not as secure as you have been led to believe.  The reason is that people have to write them down. They keep a list of them or post them on the bottom of their keyboard or attach them to their screens. Hardly a secure system.  Often times passwords are shared with co-workers. Security is becoming more of an issue and researchers have been working on finding a way to have secure access to what employees need and preventing access to data they should not use.

My preference for passwords is to use a passphrase of 16-24 characters made up of a random string 3-5 words that you can remember but that does not make any particular sense.  Breaking these types of passphrases requires much more computational resources to break.

Additional security can be added by implementing multi-factor authentication into the mix along with strict access controls for all sensitive data.