It is and it’s actually not even recommended best practise to change passwords anymore precisely because of this. It hasn’t been considered best practise since I think around 2016-17 so businesses are really lagging.
If you get governmental contract work and pretty sure not resetting the passwords too often is actually now part of the security requirement but outside of that businesses just do what they think is best regardless of research.
To be fair, simply forcing users to create a new password every X weeks is bad security policy.
It is and it’s actually not even recommended best practise to change passwords anymore precisely because of this. It hasn’t been considered best practise since I think around 2016-17 so businesses are really lagging.
If you get governmental contract work and pretty sure not resetting the passwords too often is actually now part of the security requirement but outside of that businesses just do what they think is best regardless of research.