NIST used to tell orgs to require password rotation. Some years ago they changed their recommendation with an explanation that it adds not security benefits while it encourages users to write down or use shittier passwords.