Below links provide source, reference link and relevant quote
https://github.com/usnistgov/800-63-3/blob/nist-pages/sp800-63b/sec5_authenticators.md
Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
https://www.asd.gov.au/publications/protect/Passphrase_Requirements.pdf
ASD encourages the use of longer passphrases without complexity ... ASD also encourages system owners to consider whether passphrases need to expire or not
You shouldn’t change your passwords often, such as every month, as this leads to poor passwords https://www.servicesaustralia.gov.au/individuals/subjects/how-protect-against-scams/personal-information-security
Password expiration policies do more harm than good
Password guidelines for administrators... Don't require mandatory periodic password resets for user accounts
https://www.staysmartonline.gov.au/alert-service/new-guidelines-creating-strong-passwords
Stop frequently changing passwords, for example each month, as it leads to poor passwords being created
https://www.acsc.gov.au/publications/protect/passphrase-requirements.htm
ACSC recommends they be at least 13 alphabetic characters. A number of randomly chosen dictionary words would satisfy this requirement
https://www.canada.ca/en/government/system/digital-government/password-guidance.html#toc3
Favour length over complexity. Eliminate password expiry.
https://www.ncsc.gov.uk/articles/problems-forcing-regular-password-expiry
The NCSC now recommend organisations do not force regular password expiry. We believe this reduces the vulnerabilities associated with regularly expiring passwords
As a general rule, get your users to create a strong initial password and only change them if there are pressing reasons, such as a personal data breach.
https://www.enisa.europa.eu/topics/csirts-in-europe/glossary/authentication-methods
Use long passwords. Do not force users to mix and match different types of character sets.
https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes
While some experts began questioning this practice at least a decade ago, it was only in the past few years that published research provided evidence that this practice may be less beneficial than previously thought, and sometimes even counterproductive.
https://securingthehuman.sans.org/blog/2017/03/23/time-for-password-expiration-to-die
changing passwords every 90 days gives you the ILLUSION of stronger security while inflicting needless pain and cost to your organization
https://www.sans.org/security-resources/policies/general/pdf/password-protection-policy
Passwords should be changed only when there is reason to believe a password has been compromised
Best Practices for Managing Passwords: Policies Must Balance Risk, Compliance and Usability Needs
Password Aging Is Widely Advocated but Rarely Worthwhile
Password Aging Can Burden an Already-Weak Authentication Method
Password aging is commonly advocated as a necessary standard; however, it is difficult to identify cases in which it has improved the level of security or prevented an incident. In many cases, it can induce user behaviors that may actually create security risks.
Sonia Chiasson and P. C. Oorschot. 2015. Quantifying the security advantage of password expiration policies. Des. Codes Cryptography 77, 2-3 (December 2015), 401-408.
http://people.scs.carleton.ca/~paulv/papers/expiration-authorcopy.pdf
In sum ... the burden appears to shift to those who continue to support password aging policies, to explain why
Yinqian Zhang, Fabian Monrose, and Michael K Reiter. The security of modern password expiration: An algorithmic framework and empirical analysis. In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS), 2010
Using this framework, we confirm previous conjectures that the effectiveness of expiration inmeeting its intended goal is weak
https://www.engadget.com/2017/08/08/nist-new-password-guidelines/
Much of what I did I now regret
https://www.troyhunt.com/passwords-evolved-authentication-guidance-for-the-modern-era/
forcibly rotating passwords is a modern-day security anti-pattern
@technion
I added two references: Government of Canada and ENISA.
https://gist.github.com/rptaylor/44edb4ca7e4166619f0013cd5b461cb7
Can you pull the update?