Currently, the d.vinci system prompts users to choose a new password every 90 days. d.vinci thus follows the security recommendations of the German Federal Office for Information Security (BSI).
The BSI removed its recommendation for forcing password change in 02/2020 (from the Grundschutz-Compendium for Information Security (German), chapter ORP.4). The BSI is thus following other countries such as the USA, whose competent authority NIST already changed its specifications in 2017.
Following the new recommendations of the BSI, d.vinci will remove the password change requirement by 5/20/2021 at 18:00 CEST.
The background to this change is the realization by security authorities that regularly changing passwords potentially causes more harm than good. Users tend to replace the old password with a slightly different one, or they choose passwords that are easier to remember and thus easier to crack. There is also an increasing tendency to write down passwords. A permanent password created according to proven security guidelines offers more protection than frequently switching between weak passwords.
According to the BSI's recommendation, a strong password should only be changed if the password is suspected to have fallen into the hands of third parties.