Add recommendation for password expiration

[bleetsheep]

As written in the recommendation, it has long not been best current practice anymore to force password changes upon users. Sources (as also referenced in the recommendation):

• https://pages.nist.gov/800-63-3/sp800-63b.html
• https://www.microsoft.com/en-us/research/publication/password-guidance/ (see page 9, it links to research from University College London, University of North Carolina, and Carleton University via the FTC link)

My thoughts on the matter are:

• The warning "there are users without expiring passwords" should just not be shown in general because it's not a warning: it's a good thing.
• However, many people still don't know this (both inside and especially outside the security field). It might be better to make people aware of updated research (for decades, "change your passwords" has been repeated and recommended, and many people know of the "change your password" day even if they don't do it).
• Some organisations might want to see this warning because they have a policy diverging from the latest recommendations, so that's another reason to potentially leave this in (even if it seems misguided to me).

I'm fine just getting rid of WPC112 altogether if that's the course you prefer to steer, but recognizing that removal of a warning likely creates debate and that there are also reasons to keep it, adding pointers to research seems more practically useful.