If your company forces password changes every 90 days, your company is making you less secure. Not more.
NIST, the people who literally write the security standards, upgraded this from "you shouldn't do it" to "you shall not do it" in 2025.
Microsoft dropped password expiration from their security baseline in 2019, calling it "an ancient and obsolete mitigation of very low value."
The UK's National Cyber Security Centre: "Regular password changing harms rather than improves security."
The FTC said the same thing back in 2016.
We've known this for over a decade.
Why it backfires
A UNC Chapel Hill study looked at 7,700+ accounts and found that knowing a user's previous password let attackers guess the next one in under 5 attempts for 17% of accounts. With access to the hash, they cracked 41% of current passwords within 3 seconds.
Because Password1 becomes Password2 becomes Password3. Everyone does it. Forced rotation trains people to pick predictable passwords.
And attackers who steal credentials use them immediately. Not 90 days later.
What actually works
MFA. Breached-password screening. A password manager like 1Password or Bitwarden that generates unique, long passwords for every service. Change passwords only when there's evidence of compromise.
NIST even requires that systems allow password managers and paste functionality. If your company blocks paste on login fields, they're actively fighting against the standard.
That's it. That's the policy.