Disclaimer: I do not have the time to really look for literature and recommendations for the US because they vary from country to country. What follows deals with the situation in Germany.
I my day job, one of my tasks is to audit the annual accounts of companies. One part of these audits also deals with IT security. Recurring mandated password changes are being considered as security risk these days.
And thank god, there is a ripple effect. Experts started talking about those risks many years ago, but it took quite an amount of time until the big players agreed.
-
Create strong unique passwords and do not reuse them - Choosing and Protecting Passwords | CISA. Have a read what is considered strong. Some of us might be surprised how easy it is to have a very strong password that can be remembered easily.
-
Stick to a password unless you have a valid reason to change it. Why? Because changing strong and unique passwords frequently without forgetting the latest one is not how our brain works. And a secure password for our password manager (yes, we all need one) is only secure as long it is being stored in our brain and maybe on a note in a safe place in case we forget…
Starting about 10 years ago, several security researchers made the case that frequent time-based password changes might actually do more harm than good. Those researchers faced a strong and fierce opposition. It took time until more and more researchers, organizations and companies realized that those researchers had a valid point. Today, even official IT security agencies are promoting this cause.
2016 - UK’s information security agency warned that “making users change passwords frequently could actually make systems less secure” - Changing your password regularly is a terrible idea, and here's why | ZDNet
2019 - Microsoft gave in (to some degree hell froze over): no password-expiration policies any longer in Windows - Security baseline (FINAL) for Windows 10 v1903 and Windows Server v1903 | Microsoft Docs
February 2020 - the German BSI (federal agency for security in information technology) updated its base protection compendium and stated that passwords have to be changed in case unauthorized persons have knowledge of the password. A system or application only should request a password change from a user if there is a valid reason. A request to change a password just because a certain time interval has passed should be avoided. Instead, measures have to be taken to detect if a password has been compromised (see ORP.4.A8, ORP.4.A23 [German]).
I am confident that local agencies in different countries have similar policies in place. If a company does not follow these recommendations without valid reasons, auditors regard that company at risk over here. In this case, a company will have to explain why it does not follow those rules.
So, yes, I agree with Glenn. 