[nend]

This has been a standard IT policy for companies in the US for like 20 years. Probably 3/4 of the companies I've worked at over that time anyway.

[ryangittins]

NIST actually changed their recommendation relatively recently and no longer suggests periodic password changes without reason.

> Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

Source: https://pages.nist.gov/800-63-3/sp800-63b.html#memsecretver

[_wldu]

Yes, and I believe they initially made this change in June 2017 (almost 5 years ago now). IT audit/compliance is typically 5 to 10 years behind best security practices and some standards are even slower to catch up.

[ryangittins]

Welp, I guess I am now old enough that 5 years ago "relatively recently." :/

[kasey_junk]

I think the question is do people naturally change old passwords without such policies.

The policies are the problem and the industry has recognized it so they’ve moved away from those recommendations.

[Cr0s]

Yes, this basically. Sure if you have to change your password you will, but if there is nothing compelling you to do so why do it? And if yes, why.