I see a change in the password policy that has been going on for some time (article of 2017), but I have just understood it. In my organization, user passwords expire every 90 days. When they established their baseline, it was a common practice. But:
… Nowadays, changing the passwords every 90 days gives you the ILLUSION of enhanced security while inflicting unnecessary pain and cost to your organization …
Suppose all my users are professionals, they use a generator and a password manager / password secure for all their accounts. As a result, there are no sticky notes with passwords or incremental password changes. Is there any benefit to replacing their current password / passphrase with a new password randomly generated every 90 days?