What I've been saying for years ....
From the O'Reilly Security Newsletter:
https://venturebeat.com/2017/04/18/new-password-guidelines-say-everything-we...
1. Forcing people to frequently change passwords is not helpful. It just makes it more likely that they will stick the password on a Post-IT on their monitors because they can't remember it.
2. Imposed password complexity does not help either (As I keep telling people, the only way that a user can make his/her password harder to "guess" in the modern age is to make it longer. It is just as easy for a brute-force botnet application to "guess"#51aQ4@5)?" as it is to guess "YourMomma!")
Maybe I should start my own security newsletter....
Ken Dibble www.stic-cil.org