> Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
[1]: https://pages.nist.gov/800-63-3/sp800-63b.html#memsecretver
> Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
[1]: https://pages.nist.gov/800-63-3/sp800-63b.html#memsecretver