There are big improvements to password handling in the newest version of WordPress:

You start out with a strong password by default and you are given the option to keep it or choose your own. A password strength meter is available as well as the option to hide your password from prying eyes. WordPress will no longer send passwords via email and the password reset links will expire in 24 hours. E-mail notifications will be sent out in the event that an e-mail or password is changed.

The release notes for WordPress 4.3 list other changes. There are no security vulnerability fixes in this version, so updating is not urgent, but the password-related changes alone are worth the trouble.