Ah, I was talking about OPs comment - it wasn't that passwords weren't changed often - it's that they were created a long time ago when that particular length/complexity was thought to be enough.
I see what you're saying, but 8 characters was also considered not enough 20 years ago. Naturally it takes a long time for good practices to propagate but