They actually increased the password strength recommendations in the newest guidelines. Length counts more towards the security of the password than character classes which was increased.
Even without MFA the lack of password expiration is still considered best practice. It's not just parroting.
Separately though applying MFA anywhere possible is a best practice and should be separately encouraged from the strength and rotation policies.
Even without MFA the lack of password expiration is still considered best practice. It's not just parroting.
Separately though applying MFA anywhere possible is a best practice and should be separately encouraged from the strength and rotation policies.