Excerpt from 5.1.1.2 pertaining to complexity and rotation requirements:
Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
Appendix A of the document contains their reasoning for changing from the previous common wisdom.
The tl;dr of their changes boil down to length is more important than any other factor when it comes to password security.
Where specifically could I find this recommendation so i can forward it to my IT department?
What you want is NIST 800-63b https://pages.nist.gov/800-63-3/sp800-63b.html#memsecret
Specifically sections 5.1.1.1 and 5.1.1.2.
Excerpt from 5.1.1.2 pertaining to complexity and rotation requirements:
Appendix A of the document contains their reasoning for changing from the previous common wisdom.
The tl;dr of their changes boil down to length is more important than any other factor when it comes to password security.