@mynamesleon
Actually they are somewhat recent guidelines from the NIST (USA National Institute of Standards and Technology).
So pentesters stould know that.
Obviously if you are outside USA these rules don't apply to you legally 😉 but the industry seems to respect NIST.
In #Poland we had (maybe still currently have) legal obligation to rotate admin passwords for systems containing personal data. And I'll be implementing password rotation shortly...