"The idea behind automatically and regularly resetting your password is pretty obvious: it makes historical password information useless; it forces users to periodically think about security; it increases the likelihood that people will use a password they do not use for other services; and it creates more of a moving target for potential hackers."
Yes, that's the *idea*. It's also completely idiotic.
The "achieved goals" are only the goals *intended* to be achieved. The policy in no way acts to ensure that those goals are *actually* achieved.
1. Historical password information rendered useless.
Not if the user is adopting some date related component with an otherwise fixed password. e.g. xxxxxxxxxAPR2016. If you have someone's historical password then you can easily predict what their current password might be - just change the date component until you hit pay-dirt. (Numeric components, just keep increasing the numbers or - if you have a particularly creative user - decreasing them)
2. Forces users to think periodically about security.
NO! You might like to THINK this is what is happening, but all it forces is an awareness that there is an annoying security policy. This in no way guarantees what thoughts that awareness will then result in. In most cases the thoughts will not be "Hmmm, now I must carefully devise a new, secure password". It will in most cases be "Goddamit not again". Followed by an entirely though-free process of mechanically applying the algorithm the user has devised to generate a new password that satisfies the policy with the minimum of effort on their part. After all, this is just something that is getting in the way of their doing the things they actually want and/or need to do and which they want to deal with as quickly as possible. Rigor and diligence are simply not a factor, let alone any really serious consideration of security.
3. Increases the likelihood that users will not use the same password on different services.
There might be SOME element of truth in this one, except that being forced to routinely change their password by one service, the chances are high that they will simply incorporate their "normal" password (the one they use on all the services that do not force them to change it) in the rotating password that they use for the ones that do. If the password reset cycles are not in sync this in turn further increases the likelihood that the variation they adopt will be some date based formula, since this allows a user to make a good guess at a forgotten password within the common "3 strikes" window of opportunity (the month they think they last changed their password then one.month either side).
4. Creates a moving target for hackers.
Wrong. This final "conclusion" is predicated on an idealistic scenario arising and the previous 3 goals all having been met because the user is aware and complying with the expected, ideal behaviour laid out in those 3 goals.
In reality the "moving target" is likely to be just a shuffling target. Barely moving at all (and worse: moving in a highly predictable fashion).
People are not cogs in a machine that will behave the way that the designers of the machine want.