From https://sprinto.com/blog/nist-password-guidelines

NIST (National Institute of Standards and Technology) has a smart recommendation for businesses regarding password expiration and resets. Instead of forcing users to change their passwords frequently, they suggest doing it under two specific conditions.
A password reset should happen when there’s clear evidence of a security breach or a known compromise.
Consider resetting passwords every 365 days, which is roughly once a year. The goal isn’t to hassle users; it’s to nudge them toward creating longer, more complex passwords.

Matomo should allow a super user to define a password expiry policy after how many days a password reset is required for all users.

refs #13070