There are many (somewhat) recent changes in guidance for configuring and enforcing a password policy. Several years ago, many leading organizations in technology and cybersecurity, including NIST and Microsoft, conducted research on the benefits and risks of password requirements. One major shift in password policy guidance was the realization that forcing users to reset their passwords actually caused users to follow unsafe practices and forget their password more often. This led to more users saving their passwords in insecure ways or requesting password resets. NIST and Microsoft have gone as far to say that you should NOT require any password resets moving forward.
The Center for Internet Security (CIS) points out that this is too aggressive of a change for most organizations today, as most organizations do not follow ALL the other supplemental security controls that should be in place before making the change. This includes utilizing password blacklisting and password/account monitoring services to detect if there has been a compromised password. The CIS also points out some real-world examples of when a forced password reset, on a more conservative timeframe, can avoid other potential issues. The CIS created an excellent Password Policy Guide (link below) that all businesses should read through before making any changes to their own policy. This guide provides very clear-cut recommendations with data to back it up.
See the list of references below
