Passwords are not the issue
Password complexity is not the issue (to a certain point), the systems controlling them are. Rate limiting attempts, max tries per minute, hour day, pattern detection (such as logging the failures IP/MAC to multiple UIDs) and 2FA massively reduce brute force. Don't get my wrong blocking most used passwords is also required.