Raistael's comments

Properly implemented 2FA, for sure. Having been on both sides of various types of 2FA failures, but I definitely agree.

This is largely true, but we also exist in a day and age where computing clusters can fire off billions of guesses per second. Anything less than 16 digits takes a questionably small amount of time in comparison, when paired with some of the more advanced attack vectors.

Mostly, if implemented properly, sure. I would agree with this.

I prefer these methods as well, but password simplification is a user choice, not a causal effect. Any secure password generator and vault, keyfobs and various other methods are great ways to compensate for a password that expires every so often. While I'm not entirely in line with the idea of "forced" password expiration, it's often the only way to ensure that the end user actually updates their password regularly. There are definitely better ways than raw expiration. Why not present the user with a screen that basically says "hey, your password hasn't been changed in __ time, you'll need to fix that now to access the system" when they log in after the set time period?

I'm not entirely sure that I'd agree with this mentality. Sure, at a glance it sounds good. If the password has been safeguarded, there's really not much reason to force expiration. However, wouldn't the age of the password reduce the security of it by default? The longer a password exists for, the more likely it is that it can be cracked, discovered by a misplaced Post-It note, or compromised by some other unknown security issue. With all the other security and privacy concerns in this thought process seems contrary.