I remember working at a large organization with a team of other IT Operations staffers. We rotated this one job every month amongst a few people, each taking turns, where we'd lose a day to update all the privileged passwords for our servers. This was before Managed Service Accounts and the cloud, when we were required to change these every 30 days and then store the new ones in an encrypted store.
What struck me when I got stuck with this wasn't the requirement to change every 30 days; that seemed normal. The thing that bothered me was how manual this was. As a former developer, I wrote some scripts to automated this, pre-PowerShell, and make the task easier on my fellow sys admins. I had scripts to generate a password, change it in AD, then print the pwd to be copied into our secure storage (no API there). This ran in a loop so I didn't lose a whole day to changing password.
These days, we have lots of alternatives to managing passwords, and in fact, much of modern guidance isn't to require password changes so often. For systems, use an automated process such as an MSA or GMSA. For users, we've mostly given up on changes and are trying to get people to use decently long passwords and disparate ones across services.
Modern guidance from Microsoft says to avoid using common passwords (asdfasdf, password1, ec.) and don't use the same password in multiple places. MFA is also recommended, but the anti-patterns for success are requiring long, complex passwords or frequent changes. Studies show these lead to less security because users do stupid things.
These days, I would guess many of you managing database systems use some sort of integrated security with AD, Entra, OAuth, etc. However, I know there are still places where passwords are in use. Do you require changes often? Do you change any of your passwords regularly?
Security is always hard, and it's even harder when the recommendations and rules aren't consistent or even enforced. I don't know what to do, but I try to use disparate, long passwords and MFA wherever I can. So far that's worked well.