To improve security and protect your data and prevent it from being compromised, we recommend following security best practices within VCC. 

Password expiry

Evidence suggests that password expiration policies lead to users configuring weaker passwords to make them easier to remember. Additionally, most users configure new passwords as a minor variation of the old ones. The current recommendation is to not enforce mandatory password changes and to mandate password changes only when there is evidence of the existing password being compromised, a suspected breach, or a specific threat.

Recommendations against the practice of expiring passwords:

1. National Institute of Standards and Technology (NIST): Digital Identity Guidelines (SP 800-63B Section 5.1.1.2)
2. United Kingdom's National Cyber Security Centre (NCSC): Password administration for system owners (Tip 4: Help users cope with password overload)
3. Center for Internet Security (CIS): The CIS Password Policy Guide