Re: "If your password is brute-forceable, you shouldn't be using it."
I've written a new password policy which I'm fighting to get approved. It requires less frequent changes, longer passwords (with longer minimum) no numbers/ special character requirement or even upper/lower case.
It's such a damn fight to get it approved though, people EXPECT those requirements and don't understand that encouraging people to use easier to remember passwords may actually improve the quality of them rather than them simply using their spouses/childs name and adding a number to the end.