Microsoft is admitting in this new security baseline what many of those in IT Security already knew, forcing users to change passwords frequently creates a bigger risk.

“Periodic password expiration is an ancient and obsolete mitigation of very low value”

The question becomes will other regulatory and compliance bodies follow.

Source: Microsoft