That's useful guidance, but we need to work with what we have available - passwords and 2FA. Whilst the complexity argument is indeed flawed by human behaviour, it doesn't alter the fact that there are 26 upper case characters, 26 lower case, 10 numeric characters, and (depending on character set) a number of special characters. Consequently as in any cryptographic algorithm, by and large simple character replacement can only take you so far. The longer and more complex the password, the easier it is for the hacker to fall foul of the limited number of failed logins the target system allows. However with complexity comes the desire to write down or store the password, which undermines its effectiveness with a new vulnerability.. For this reason, I like the use of a number of discrete words separated by numbers and characters., to achieve semantic complexity rather than character-set complexity. At least that's my choice. I also like 2FA and always use Face or Fingerprint authentication where possible.