I see a lot of threads around password policies on this subreddit which sadly tell the story that many organisations are following advice from yesteryear which actually *decreases* security.
Forcing users to set complex passwords with special character minimums and regular expiry is terrible practice and should be stopped because it forces your users into bad habits. They are already suffering with credentail overland and have many passwords
to remember, why not make their lives a little easier and your security better by following modern best practices?
[This article from Troy Hunt](https://www.troyhunt.com/passwords-evolved-authentication-guidance-for-the-modern-era/) covers everything you need to know. I implemented these changes, they made everyone’s lives easier because there were less lock outs, less password issues and therefor less service desk tickets. My users also love only having to change their password once per year.