As a security guy - as soon as I can get federal auditors to agree, I'm getting rid of password expiration.
The main problem is they don't audit with logic. It's a script and a feeling. No password expiration FEELS less secure. Nevermind the literal years of data and research. Drives me nuts.
Wasn't Brave doing some shady stuff a while back?
https://www.androidpolice.com/2020/06/07/brave-browser-caught-adding-its-own-referral-codes-to-some-cryptcurrency-trading-sites/