[Zxian]

The intent of the policy doesn't match the real-world implementation of users. Users are lazy. Users will alter a single character or digit in the password and call it changed.

Most people don't use password managers, and some companies block their usage. Now add a requirement of a "secure" password.

[nixpulvis]

Automated password rotation would use machine generated highly secure passwords. I do not see your point.

This issue for master passwords is a bit harder, yes.

[Sohcahtoa82]

> Automated password rotation would use machine generated highly secure passwords.

Which will result in two things:

1. LOTS of calls to IT from forgotten passwords

2. People writing their passwords down on sticky notes.

[missingrib]

I don't really see the issue with people writing their passwords down on sticky notes.

[the_snooze]

If you're using machine-generated passwords, then what's the point of rotating them?

[ryanisnan]

Breaches happen. You can't always be sure you (or dictionaries) will know.

[the_snooze]

Even assuming a silent breach happens, it's unclear what's the value-add of password rotation in the context of other solutions that are less burdensome on the user: proper hashing of password databases (in case of a password DB breach) and risk-based authentication (in case of an inadvertent disclosure, like in logs).