Comment 2 for bug 1979570

There are certainly things that we could do to improve password security but I'm going to argue against time-based forced password changes (And NIST agrees: https://pages.nist.gov/800-63-3/sp800-63b.html#-5112-memorized-secret-verifiers paragraph 9). It encourages staff to pick a password they can remember that meets the requirements and then just make minimal changes to shut the up algorithm each quarter ('bad1', 'bad2', 'bad3', etc.).

A better solution is to increase the minimum size and encourage staff to use a password manager so they can start using *really* secure passwords that they could never hope to remember at all.

I also initially read this as applying only to staff, but I'm absolutely certain that imposing this on patrons will make many of their accounts more secure as they simply stop using their accounts entirely. Most *banks* don't do this to the general public.