Your password expiration policy has expired. Here’s why.>
Medium – Dave Probert
Companies adhere to the password strength portion of policy while still expiring passwords, even though there has been a major shift against that archaic habit. SANS, a major player in the security sector says, don’t expire your passwords. Microsoft and NIST also agree that password expiration is no longer necessary (especially with multi factor authentication — come on).

The mindset to this policy is, ‘Let’s constantly change our passwords just in case they’ve been compromised’. But it’s a cat and mouse game. You force a change today which results in a significantly weaker password that can be cracked next week. If it’s going to be cracked, it’s going to be cracked, making it weaker is just increasing the likelihood of that happening.

I realize that not everyone agrees with this philosophy, but hopefully this gives you a little something to think about. There’s always going to be policy, and those policies can certainly help protect us. That said, all policies aren’t created equal, and some do more harm than good.
Link: https://medium.com/@probertd/your-password-expiration-policy-has-expired-heres-why-1fb307694ebb