Sid 
Does anyone else despise mandatory password expirations as an #infosec security practice? Key rotations are good. Password expirations are terrible and encourage users to make and reuse terrible passwords, making small modifications to them to cheat the system. How is this so commonplace?
Jerry ๐ฆ๐๐ฆ@sidd thanks for an idea about a blog post. In general, I agree, but as someone responsible for defending a large organization, there is a practical benefit to even people incrementing a number at the end of their password every 90 days
Alex Nedelcu 
The policy makes sense only because people are setting simple passwords. However, the systems I've seen also limit password length, which effectively encourages people to pick simple passwords suffixed by 1 or 2 digits.
Making people change their password is a bad practice from a different age, IMO. Such orgs these days are only safe due to proliferation of 2FA, IMO.
@alexandru @jerry YESSSS I HAVE NEVER UNDERSTOOD THIS. I get minimum lengths, why on god's green earth would you ever add a MAXIMUM length limit?? ๐ข
Skyper ๐ป๐งโ๐@Skyper Why did you have to make me think about that
@alexandru @sidd Ideally, we force MFA. The most significant problem I face with password only authentication is password reuse. And it's a major problem.
@jerry I don't see that as providing additional value. Maybe I'm missing something, but if I were trying to break passwords (given a leaked hash database), and the password rule asked for "at least one numeral", I'd definitely add a fuzzer that tried variants appending 0..9 at the end of each tested string. That's the bit users are most likely to use for checking off the rule.
Rob Pomeroy@jerry @sidd I tend to think that monitoring is your best tool. Multiple failed logins, geographic improbabilities, unexpected devices, etc. If you can force MFA challenges under such circumstances, you reduce much of the risk for day-to-day accounts. Use k-anonymity and/or breached password checks in the password change flow.
Then apply your more stringent standards to higher-risk accounts (privileged accounts, high-value targets, etc.) I think a targeted approach, coupled with good communication with end users, gets you so much closer to a regime everyone can support and live with.