zlacker

This was a very unfortunate choice of words by the author, as they don't mean credentials as in the credential a user uses to initially authenticate to the system. Rather they mean authentication tokens, be they Kerberos tickets, bearer tokens, etc.

This memo in particular emphasizes the existing guidance the US government has issued around not expiring passwords. If you are a federal agency, you can have (and are in fact encouraged to have!) users with passwords that are unchanged for years.

Edit: it's worth pointing out that the memo does a great job of laying this out. I work in security, so possibly there's some curse of knowledge at play, but I found the blog post explainer to be less clear than the memo it is explaining...