Problem scenario
You know hackers and malicious social engineers love passwords. You are considering enforcing password rotations temporally (as a systems administrator, security consultant, or I.T. manager). You want planned periodic password changes to happen in a mandatory way. In theory if a password was once lost, changing it mitigates the damage. This is intuitive and consistent with a variety of sources. Many OSes and LDAPs facilitate built-in password expirations based on time intervals. Is it a recommended practice to force passwords to be changed (or expire) based on an amount of time?
Answer
Maybe.
Here are sources that are in favor of password rotation (because they say it is important or something similar):
… infrequent password rotation increases the risk that cyberattacks on vulnerable IoT devices…
https://venturebeat.com/2022/02/18/password-rotation-can-make-or-break-your-security-posture/
Password rotation should be implemented across every account, system, networked hardware, IoT device, application, service, etc. Passwords should be unique, never reused or repeated, and randomized on a scheduled basis, upon check-in, or in response to specific threat or vulnerability.
https://www.beyondtrust.com/resources/glossary/password-rotation
Page 46 of this PDF (although that page says "36") indicates passwords should expire.
Some companies recommend having strong passwords but recommend changing just one character every time you rotate the password. This bullet is in both sections as it has an ambivalence toward the enterprise's policy itself.
Here are sources that advise against password rotation (or at least mention that there are disadvantages to doing it):
https://www.sans.org/blog/the-debate-around-password-rotation-policies/
https://securityboulevard.com/2020/03/the-pros-and-cons-of-password-rotation-policies/
https://spycloud.com/2020-prediction-the-death-of-the-password-rotation-policy/
https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes
https://duo.com/decipher/microsoft-will-no-longer-recommend-forcing-periodic-password-changes
Some companies recommend having strong passwords but recommend changing just one character every time you rotate the password. This link is in both sections as it has an ambivalence toward the enterprise's policy itself: https://www.strongdm.com/blog/password-policy-best-practices
FFR
/etc/login.defs is a file that on Linux/Unix machines facilitates expiration of passwords. Some people may find this file to be obsolete or a legacy of an older era.