the problem with password change policy:
is it dramatically weakens the ones of security aware people, and also weakens the ones of complete utter tools:
- security aware people will have a complete random string, special chars, numbers, upper and lower case, no dictionnary word etc .... Forcing them to change it periodically will just make them force a common prefix and an incremental number after it, like in PASS01, PASS02, etc ... All of those with a very strong PASS. This is adding 0 security to those users and in fact decreases it, due to common prefix ... Retarded.
- tools will generally try any dictionnary word they know + any number and largely write it down in order to retain it. Very low security, and largely lower security than if you allowed them their first/last girlfriend/boyfriend name. Retarded.
All of this because of the argument of someone could have spotted the password above their shoulder, which rarely happens.
I've always found those policies very detrimental to security. And this multiplies with big corporations having multiple ID systems and varying pass change period.
Again, at the end, you end up putting them all in Excel.