[ryangittins]

NIST actually changed their recommendation relatively recently and no longer suggests periodic password changes without reason.

> Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

Source: https://pages.nist.gov/800-63-3/sp800-63b.html#memsecretver

[_wldu]

Yes, and I believe they initially made this change in June 2017 (almost 5 years ago now). IT audit/compliance is typically 5 to 10 years behind best security practices and some standards are even slower to catch up.

[ryangittins]

Welp, I guess I am now old enough that 5 years ago "relatively recently." :/