> I wish there were some affirmative guidance to stop doing this because at the moment governments still think forcing password changes makes it “safer”.

NIST SP 800-63B-4 [0] seems to be pretty clear “affirmative guidance”, though its only actually legally required in certain circumstances.

[0] https://pages.nist.gov/800-63-4/sp800-63b.html @ 3.1.1.2: “[...] Verifiers and CSPs SHALL NOT require subscribers to change passwords periodically. However, verifiers SHALL force a change if there is evidence that the authenticator has been compromised. [...]”