Just because it meets the complexity test does not mean it is secure.
Most of the insider threats and some very public hacks (Yes I am talking to you, John Podesta) are due to poor password choice. But it is not just the basics of simply changing the default passwords. You have to change it to something complex, upper and lower case, numbers and special characters, it also has to be not easily guessed.
We had a new client that lost his password to his san. He did not remember it, and as he always used the same form of a password – company name with capitalization, a special character, and some numbers – creating a complex password, they thought they were secure. But in reality, it was a false sense of security there was an easily guessed password, and the company data was vulnerable to anyone who wanted to spend the time with a minuscule bit of information about the company.
Because we needed access to the san – I wrote a simple 47 line python script to churn through all the various options. It took us less than a minute to crack the password we were in. It helped me tremendously that they did not turn on any brute force blocking or disabling on failed attempts. It also helped that they had default usernames enabled. I only had to guess just a few of the 12 characters in the password. But because computing is cheap and time is not relevant when your computer does the work for you. I say helped, but for real it made the job of hacking in more straightforward and less time-consuming.
The main lesson learned here for my customer is password security is not hard, it just has to happen. For better security now they use strong random passwords generated by a program. Disable login for all default users. Brute force blocking with time outs of at least 15 min. Where applicable and especially for access to the systems remotely, two-factor logins and biometrics are utilized.