Encourages users to just add a rotating number or other not too secure thing to their password. I know that’s what I did when I worked somewhere with that dumbfuck policy.
Yep. My least secure password is the one I use at work because I'm restricted to 9-12 characters, can't be sequential forwards or backwards including keys next to each other (abc, 123, qwerty), can't begin with a number, must contain at least three numbers, must be at least four characters different from your last twelve passwords, and must be changed every 90 days. Oh and it can't include your first or last name.
Most of my coworkers just use a family members name and then change a few numbers at the end and keep a post it note at their desk with the numbers so they don't forget it.
Last time I worked in a company with this policy I actually made it into an advantage.
Sure, having to change password every 3 months was annoying, but honestly I did not see advantage in rotating 2 or 3 passwords because since I would use the password many times a day, getting used to new password was easy enough---using "old new" passwords from 6-9 months ago would not be any easier: it would just mean that I have to remember some password for longer time.
I also realized that if I re-use the expired password elsewhere, I can actually cascade the passwords across my main systems: for example, when password expired at work, I would re-use it for personal e-mail, and re-use that old e-mail password for something less valuable, such as "random" forums.
That way I could keep steady flow of passwords through all my accounts, while at the any time I would always get the muscle memory for free: there would always just one "truly new" password -- and it would be the most used one, hence the fastest one to learn.
Well, of course this assumes some level of security in the systems I used. If my work got hacked (or keylogged) and someone could keep stealing all the passwords for long enough they could use them for all my services :-D If they only got hashes and everyone else used salt, the damage would be limited, though.
Also, counter-productive measures such as "must contain all blah blah" even if it's 15 chars long or worse, limiting password chars or length can make things more complicated. (I think that's why I almost never changed my PayPal password -- I suspect they still don't allow spaces.)
NIST removed password expiration from their recommendations in 2020. Instead they recommend only forcing password changes when compromise is suspected.
The main argument is that they do not make users or systems demonstrably safer and encourage bad password habits.
I would imagine most users change their password by only 1 character, and maybe even in sequential order.
When time comes to change the password, it becomes password1234 instead of password123. Or password234. Something easy to remember, most users don't care about best security practices, and changing to a similar password is very convenient. Especially if it's "only" for work stuff