Because long complex unique passwords are difficult to remember, and that people typically don't store them appropriately, Microsoft now recommends that passwords NOT be changed. In the past 5 years or so theres been a strong focus on user behavior and what people are actually doing. As a result a strong password with 2FA is security 'nuff.