As part of good security practice, there is an option so that old user passwords are removed from the database where the user has been inactive for 15 months. This is to safeguard users' passwords who no longer use the site.
This can be set in Site Settings > Security > Expire Passwords For Old User Accounts.
NB for new sites since 11th October 2019 this is enabled by default.
Why Is The Inactive Period 15 Months?
The 15 month timeframe is a practical time limit because it means that annual repeat buyers, such as Christmas shoppers, will not be affected the following year when they may wish to make a repeat purchase, but once they lapse a further 3 months then they will be classed as inactive and will then benefit from greater data protection through password removal.
Can Users With Deleted Passwords Still Login & Use The Site?
Yes. When they try to login the system will inform them that their password has expired and automatically send out a new password to their registered email address:
Webauthn - Industry Standards To Eliminate Passwords
Looking further ahead, there is already an industry drive towards eliminating password use altogether for website logins via the 'WebAuthn' web standard. This will use different methods of authentication such as biometric devices like fingerprint readers on your phone or browser based control, and there are already passwordless 'magic links' in use allowing one-time logins via email addresses or SMS.