Passwords must be valid for a maximum of 30 days.
CAPEC-49: Password Brute Forcing. In this attack, the adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.
CIS Controls. 16.10 Ensure All Accounts Have An Expiration Date. Ensure that all accounts have an expiration date that is monitored and enforced.
CWE-263: Password Aging with Long Expiration. Allowing password aging to occur unchecked can result in the possibility of diminished password integrity.
NERC CIP-007-6. B. Requirements and measures. R5.6 Where technically feasible, for password-only authentication for interactive user access, either technically or procedurally enforce password changes or an obligation to change the password at least once every 15 calendar months.
PCI DSS v3.2.1 - Requirement 8.2.4 Change user passwords/passphrases at least once every 90 days.