Password change after XX days
Due to legal , there is a requirement for a regular password change in the german banking-industry. I recommend an automatic password change, which must be done by the user after XX days. If the password-change is not done, registration is not possible without changing the password into a new. This ensures that a password-change is carried out at regular intervals and thus also the security for the protection of the login.
There are several studies showing that a mechanism forcing users to change their password on a regular basis does not add any security to a platform.
Therefore it's something we are probably not going to implement.
Peter Blenninger commented
regular password changes are not state-of-the art. E.g. https://teiss.co.uk/iot/intelligence-agency-reminds-businesses-of-the-risks-of-password-expiry/ or (German) https://www.heise.de/security/meldung/Aendere-dein-Passwort-Tag-Pro-und-Contra-Passwortwechsel-3613327.html