I’ve lost count of the number of organisations I’ve worked for that have adhered to the NIST (National Institute of Standards and Technology) password advice from back in 2003. I’ve scoffed every time I’ve looked around their offices to see (a sea?) password post-it notes with various passwords written down. Honestly, every 90 days?
Clearly they have people in charge of making security decisions that simply are not qualified to.
Finally, the author of those guidelines, NIST manager Bill Burr, has admitted that he was completely wrong.