If you really want to get deep into the details of digital security, read the four-volume Digital Identity Guidelines from the National Institute of Standards and Technology (NIST). It’s a massive document, and much of it is aimed at Federal agencies that need extremely robust security. There’s plenty of practical, easy-to-read information there as well, such as the discussion of how long and complex passwords really need to be. You’ll find those details in the short appendix titled “Strength of Memorized Secrets.”
The folks at NIST have created a simple Cybersecurity Basics page that boils all that technical information down to a set of crisp guidelines for small business owners and managers.
Experts agree that changing passwords regularly isn’t necessary, and that organizations requiring users to change their password for no reason are actually making their networks less secure.
Why? Because people who are forced to change passwords regularly are likely to choose a weak, easy-to-guess password. If you’ve done a solid job of choosing a strong and unique password, there’s no need to change it under normal circumstances.
They’re all very sensible rules, and changing a well-chosen unique password every month, is not one of the recommendations. I recall making a post about this a year or two back, where the originator of that idea of monthly changes had explained where he came up with that idea, and it had no basis on any fact at all. And yet to this day most IT departments still require such changes, and of course users just tack on a number they keep changing (defeating the whole objective of that idea anyway).
See https://www.zdnet.com/article/7-password-rules-to-live-by-in-2024-according-to-security-experts