If your IT policy still requires users to change their password every 60 or 90 days, you're enforcing a security practice that NIST officially recommended against in 2017. The reason: forced rotation produces predictable, weaker passwords. Faced with making up a new one twelve times a year, humans pick patterns they can predict — last password + 1, last password + season, last password + month. The attacker who breaches your system with one password can usually guess the next two.
The data on this is settled. Studies from Carleton University, Microsoft Research, and the FTC all converge: forced rotation does not improve security against modern attacks. Phishing, credential stuffing, and database breaches don't care how recent your password is. They steal the current one. Rotation only helps in one scenario — that a password has already been compromised and the user doesn't know yet — and that scenario is much better addressed by breach monitoring (HaveIBeenPwned-style services) and multi-factor authentication.
What works instead: long, unique passwords (managed by a password manager), MFA on every account that supports it, breach monitoring that alerts users when their password appears in a leak, and a clear path to change the password instantly when it does. This is more secure than 90-day rotation by a wide margin, and it has the bonus property of users not actively hating IT for it.
Worth saying out loud: many compliance frameworks (PCI-DSS, HIPAA in some interpretations) still have rotation requirements buried in the language. If you're stuck with one, the move is to push the rotation interval as long as policy permits (often a year), and pair it with a real password manager and MFA. The auditor gets their checkbox; the users get to keep their working memory. Eventually those frameworks will catch up to NIST, and the day they do, you'll already be ahead.