When planning a lockout policy for accounts, where is the balance between safe and annoying? 3 strikes makes sense, but people who forget their own password can usually remember after 10 tries or so... But I don't want people compromised because someone else had a "clue" to their password. And what are you thoughts on password aging? 30 days, a year, or never? Is there a standard out there to go by, or is this all just as "Do as you see fit" scenario?
Unless your content is super critical, there is no sense in making the password expire in less than a year. 3 strike is perfect, if users have no clue about their password (that means either user is suffering from dementia or doesn't care about your site), give them the option to reset it via email or SMS. There is no standard way to go by, it's more like do it as you see fit.
it's not required to reset password after certain period, but due to site requirements like banking site or financial sites then password change required after every six months, but they are also track last three password, you cannot set new password from any of your last three password. As I said, it's depends upon you..