Leaked passwords
Leaked passwords aren't as much of the problem as password hashes. Malware with sufficient privileges can steal the hash of the logged in user and possibly other users that have logged into the machine (depends on a number of factors). The longer the time between password changes the longer the malware or operator has to utilize that hash. With hashes even a single digit change will completely change the hash. The only problem with this if the plan text is known (such as having it brute forced).
There are a lot of brute forcing programs that will string together words in various different combinations so simple pass phrases may not be as strong as many think. It is always good to do something a little out of the ordinary to increase the strength of a pass phrase.
Users will still use simple passwords at 12 characters so it may still be a good idea to enforce complex passwords with Windows since that is the only way to guarantee users won't use the same character 12 times in a row.
Bill
