"Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically)."
Should be noted that NIST’s current recommendations are meant to be part of a number of mitigation’s including checking passwords against known-breach databases, rate-limiting, etc.
Without those other mitigations, pw rotation may still help more than it hinders, although I am definitely not a fan of it and recommend implementing all of the NIST’s recs instead.
For those looking to head that route, haveibeenpwned offers an API to check hashes against previous breaches. For a pw strength meter, have a look at zxcvbn.
Harmj0y, who is probably the best public AD hacker right now suggests 3 month rotations, IIRC.
My guess is the idea is to mitigate compromise of very old passwords, spray attacks using breached site creds, reduce insider threat and at least offer some mitigation for compromised hashes.
I think this is wise compared in work environments - 90 days, 180 or even 360 would be a good mitigation over _none_ to too many.
I think those concerns are better addressed elsewhere with tools like MFA, automatically disabling inactive accounts, or monitoring public services like HIBP to deactivate accounts quickly. Attackers can move quickly so you hit diminishing returns on rotation policies trying to avoid usability issues incentivizing worse passwords while not rotating long after the account has been compromised.
edit: I wasn't calling OP a liar, I just couldn't find it.