I was very happy to read that the National Institute of Standards and Technology (NITS) has issued guidance that it no longer recommends mandatory periodic password changes for users within an organization.
I have been preaching this for years to my clients who force everyone to change passwords every 60 or 90 days. Here were my recommendations to them back in 2012: "This is a counter-effective requirement that not only frustrates users but results in less secure passwords being used. When a user is required to change a password too frequently, they tend to write it down near their computer and /or reuse the same password with an incrementing number at the end (password1, password2, etc). If strong passwords are in place, there is no reason to require them to be changed frequently unless there is suspicion of a security breach that might necessitate it."
Does anyone else know of organizations that are still requiring this?