[jhardy54]

> […] regularly rotate their MongoDB Atlas passwords

Is there some context I’m missing, or is this a modern security team recommending password rotation?

[richbell]

Regularly rotating secrets for applications is good. Forcing users to regularly rotate their passwords is not so good.

[twisteriffic]

Correct! NIST recommends against forcing password expiry unless the password is known to be compromised.

https://pages.nist.gov/800-63-FAQ/#q-b05

[ronabop]

Thankfully all of my users are extreme statistical aberrations who do not re-use the same memorized password (or a variation on it) for more than one thing, ever, at all OR they diligently watch every single possible place they have ever re-used any of their memorized passwords, with the globally mandated and complied with reporting, so they can know if a password they once re-used at grandmas-cookies.blog.example.com has been compromised.

The fact that all websites, servers, systems (etc.) check to see if passwords are known to be compromised (since NIST says verifiers will do that) makes things a lot easier, too.