Changing passwords often serves no purpose, especially if users already adhere to #1. Having strong passwords eliminates the need and worry of changing passwords that folks need to retrain themselves to remember. If the passwords are strong enough, there is no worry of them being cracked. So educate users to create strong passwords and even "padding" them, will not only make them strong, but make them easy to remember. For ex.

!@##EW(S(!!H898%R$ is not as strong as
D0g...........................................................

See https://www.grc.com/haystack.htm

Sigh, I wish this "mantra" of changing passwords often policy would just die already.

Philip