NIST Special Publication 800-63B, states:
"Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically)."
None of the organisation I have worked at in the last ten years have followed this advice. One financial services organization I worked at in 2018, required password changes every 30 days!
https://pages.nist.gov/800-63-3/sp800-63b.html
#infosec #memorizedsecrets