It is silly that this suggestion even needs to exist. Even sillier that nearly 4 years have passed and it has not been implemented.

The password standards have now been increased to 8 characters but there is still no expiration. (https://kb.blackbaud.com/articles/Article/43647) It would be best if system admins had control over password standards for their organizations. For example our organization policy is to have 8+ with special char, number, upper, and lower case. I have no way to enforce this and have to rely on my users complying on their own. It would also be great if I could require 2 step authentication for our users. Now that we have our donor data protected by the same password in NXT, I think we need to have this decision in our court. 

This becomes bigger than NXT, as it's really your Blackbaud.com account that you use to sign in with.  At the very least, it would be nice to be able to set a reminder to users to change their password (with a link directly to the page where that is done), and let the DBA/System Admin set the timing on that.  Our computers at my org are on a 90 day cycle, so every 90 days, I have to change my computer password and at that same time, I just update everything across the board, even though not all of the systems require or even remind/recommend that it be changed.