From Microsoft in May 2019 (https://blogs.technet.microsoft.com/secguide/2019/05/23/secu...) talking about how their new policy is not to recommend regular password changes:

> When humans are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords.