I don't know why companies with major online presences, such as Steam, can't just include something in their ToS that users can have as simple or complex a password as they want, as long as they understand that the security of their password (or lack thereof) is not the company's responsibility and any theft or unauthorized account activity is put purely on the user. Perhaps they could also do something where it says "your password is 180 days old, would you like to change it? Y/N" and leave it at that.