any decent corporate IT dept make sure you don't by forcing often password changes and having quite secure rules for length and charactes in a password. My corporate IT force quarterly password changes for VPN, NIS and SSO, which all must be different, all must be 8+ characters, all must have mix of upper and lower and numerics. They also store the hash of all previous passwords to prevent users from recycling.
So I think the onus of responsibility lies with corp IT and not HR.
Forcing people to change their password is one of the most annoying and ineffectual things you can do. It is completely useless to change a perfectly good password when it has not been comprised. And since most humans have trouble memorizing complicated passwords, the net result will be much simpler passwords, or ones that get written down.
There's no technical solution to this problem. In the end it comes down to making people actually memorize pseudorandom passwords. As long as there's no shoulder surfing or keyloggers, you can keep such a password for years.
You know how people that work at your company remember their passwords after having to change them so often and comply with so many rules? They write them down on post it notes that they leave at their desks.
So I think the onus of responsibility lies with corp IT and not HR.