Limit login attempts will solve most problems
We only need long, complex passwords, requiring password managers for some, to try and thwart brute force attacks. Limiting the number of login attempts solves this. Okay, if your company doesn't have an effective "Forgot password?" process this means employing an extra 50 people for the IT Support Desk on Monday mornings, but that is the price of security.