weak passwords can be mitigated against, and password reuse limits (of one - no password reuse, ever) the attack surface from there, along with using HIBP's breach database. NIST updated their recommendations about passwords, and forcing a change of password every 30 days was removed because it caused other, more leaky behavior in practice.