@HeartInternet NCSC, for example, advise against forcing regular expiry - https://www.ncsc.gov.uk/blog-post/problems-forcing-regular-password-expiry - focus should be on implementing monitoring and other defences, rather than relying on something that offers little practical protection