A client recently asked me about the VOW password change requirement that reads as follows “A Participant shall require that Registrants’ passwords be reconfirmed or changed every 180 days.”
What is the security driver for the rule as written? Chances that a password will be compromised and will be changed before it is used by a hacker is negligible.
This is why the NIST guideline is as follows:
Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
(https://pages.nist.gov/800-63-3/sp800-63b.html)
There are many reasons to force a password change, but in a well designed password system it should not be set at an arbitrary time-frame, and in a poorly-designed system it provides little value.
But, at this point, the VOW rule must be complied with.