In accordance with NIST 800-171 guidelines, NIST recommends doing away with password expiration, and only require users to reset passwords when the organization suspects the password has been compromised; when password expiration is more frequent, users often make easily guessed patterns or store passwords insecurely (such as on a sticky note).
Plex has followed the NIST guidelines outlined above - In Plex IdP.
Passwords do not have an expiration policy and must meet a minimum length (10 characters) and entropy (108 guesses) requirements.
For customers that need custom password policies to meet internal or external audit requirements, Plex proposes using 3 rd party IdPs (Azure AD, Okta) and using IAM as an identity broker.
These solutions also provide additional MFA capabilities that are not built into IAM today. As Plex IdP continues to improve additional options regarding policy management are in consideration.
Link to NIST guidelines