Systems "SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically)."

Said another way way, if your organization requires regular password changes (every 30 days, 90 days, etc.), then you're making your organization _less_ secure.

This has been a PSA: <https://pages.nist.gov/800-63-3/sp800-63b.html#reqauthtype>