Traditional Active Directory environments have long used password aging as a means to bolster password security. Microsoft has said that they are dropping the password-expiration policies from the Security baseline for Windows 10 v1903 and Windows Server v1904. The National Institute of Standards and Technology (NIST) has long offered a cybersecurity framework and security best practice recommendations. By default, Active Directory includes the following Password Policy settings:Enforce password history. Minimum password age must be less than the maximum password age. Minimum password length must meet complexity requirements. Store passwords using reversible encryption.
Source: https://thehackernews.com/2020/12/how-to-use-password-length-to-set-best.html