https://www.cnet.com/news/microsoft-admits-expiring-password-rules-are-useless/

"When humans are assigned or forced to create passwords that are hard to remember, too often they'll write them down where others can see them," Microsoft's Aaron Margosis wrote in a blog post Wednesday. Worse, Margosis wrote, when people are forced to change their passwords, too often they make a "small and predictable alteration to their existing password," or they'll just forget it. (Duh.)

The blog post introduces a broader set of "baseline" security settings Microsoft is considering recommending to companies that use its computer management software. Think of them as defaults of a sort.