Absolutely. In the real world there's just no case for password expiration any more. Require at least 14 characters. Don't insist on any "complexity" rules, but do check passwords against a list of of common/stupid ones and reject them. Use a good hash algo, like bcrypt, scrypt, or Argon2