Way back in 2006 I wrote about how password changes were a bad idea
[0], backed up commentary by Eugene Spafford [1]. I'm dismayed that
the password change policy is still very prevalent at the corporate
level, almost 17 years later. It's an annoying practice for users
that needs to stop. Where I work, policy forces use of two-factor
authentication but still forces users to change passwords every 90
days. This is completely non-sensical.

[0]: gopher://gopher.unixlore.net/0/articles/historical-blog-posts/20060428-the-myth-of-the-password-change.txt
[1]: https://www.cerias.purdue.edu/site/blog/post/password-change-myths/