The main ones (h/t Bruce Schneier):
- Periodic password changes address a problem on shared Unix minis in the late 1970s, not now.
- Complexity rules are pointless, since the main risks are phishing and reuse, not guessing.
- Password managers help a lot, web sites that try to prevent their use are, ah, sadly misguided.
References
https://www.wsj.com/articles/the-man-who-wrote-those-password-rules-has-a-new-tip-n3v-r-m1-d-1502124118
https://www.cerias.purdue.edu/site/blog/post/password-change-myths/
https://securingthehuman.sans.org/blog/2017/03/23/time-for-password-expiration-to-die