Do Not Require Frequent Password Changes!
I have experienced this firsthand that, when asked to change passwords frequently, users resort to using past passwords with minor changes or additions to it. It is difficult to remember passwords, so they may add a number to an existing password. So, for example, if my password is sTudENt, when I am asked to change the password, I change it to sTudENt1. The next time around, I may change it to sTudENt2, next to sTudENt3, and so on. I have been preaching for years that requiring users to change passwords frequently serves little purpose from a security standpoint. Now, Microsoft says it, too.