Microsoft is admitting in this new security baseline what many of those in IT Security already knew, forcing users to change passwords frequently creates a bigger risk.
“Periodic password expiration is an ancient and obsolete mitigation of very low value”
The question becomes will other regulatory and compliance bodies follow.
Source: Microsoft