It is. I work as an IT tech at a military defense contractor and they require regular recycling passwords, with a decent number of passwords remembered. They at least have complexity requirements applied so not 100% bad, but still archaic
The same NIST document (800-63) that recommends against password expiration also recommends against complexity requirements, instead organizations are supposed to develop a list of bad passwords that would likely be used in an external dictionary attack.
People understandably get really fired up by the idea of not having to change their password every 90 days, but forget that the guidelines are a package that contains a lot of "shall"s (no password expiration is a mere "should") that would be more painful for organizations stuck with a lot of legacy software, like the requirement to use two authentication factors and the use of secure authentication protocols.
Heh. I just increased a number in my password for my passwords. Then just repeat. So “CompanyName[00]” meets almost all complexity requirements and all I have to do is increment the numbers.
Note: I only do this when I have these requirements and I can’t use a password manager.
