For decades cybersecurity professionals held tight to the idea that passwords needed to be changed on a regular basis. In recent years, however, organizations such as NIST and Microsoft have abandoned this longstanding best practice and are now recommending against mandatory password expiration.
The case against password expiration
Microsoft lists two main reasons why scheduled password expirations should be avoided.
Fast-acting criminals won’t be deterred by your 90-day change policy
First, the company argues that scheduled password changes do little to prevent an intruder from gaining access to a victim’s network because threat actors almost always make immediate use of compromised passwords.