Comment by int_19h

> Forced password changes once every 90 days is dumb and slightly annoying but doesn't significantly impact business operations.

It negatively impacts security, because users then pick simpler passwords that are easier to rotate through some simple transformation. Which is why it's considered not just useless, but an anti-pattern.