I recently received notice that Clarivate will require passwords to be changed every 180 days starting in first quarter of next year. I was wondering why this change is being made. This is an antiquated technique that has actually been shown to DECREASE security by encouraging password reuse across different sites. Two-Factor authentication is a much better strategy.
NIST (the National Institute of Standards and Technology of the US) actually updated its standards to advise AGAINST forced password change unless there is evidence of a breach.
See NIST SP-800-63B
I use a password manager (Bitwarden) and use 20+ character-long strings of random characters, so this new policy isn’t too much of a burden, but it is a PIA to have to change the password and then go into the software and change it there as well. All in the name of making a change that has been shown to make things less secure.