Only 90 days, that's not too bad, and at eighteen characters it likely keeps all but a state actor from hard cracking it.
Think up a nonsense phrase and replace some of the letters with numbers l33t h4ck3r style, something like:
1und3r5t4ndy0umr45p4r4gus
Also, if you are inconsistent with what letters you replace with numbers, it becomes harder to crack even if someone does find your nonsense phrase.
I no longer have to deal with that but my personal passwords are all generated from a personal pass phrase that creates an unique and indecipherable alphanumeric string at the desired length for each login I use; I don't think I actually know any of my passwords :P