> Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
8 years later, no one seems to care. Other things that the NIST doesn't recommend is rules such as "letters + numbers + special characters". What it does recommend is checking for known weak passwords, such as passwords that are present in dictionaries and leaks or relate to the user name.
And expect people to still implement it in the future, based on documentation from some consultancy that hasn't disseminated the new recommendation internally to their implementation engineers.
