Longer passwords are better. Did you know that the current best practice guidance from NIST has removed the requirement to enforce password C0mpl3xity! Arbitrary expiration deadlines are also out. A password should change if you suspect that it has been compromised.
Learn more about Digital Identity Guidelines from NIST: https://pages.nist.gov/800-63-3/sp800-63b.html