tl;dr – forcing people to regularly change their passwords is counter-productive and actually leads to less security (not to mention more errors, more support calls, more rage against the machine). Of course, in the event of a security breach, it is essential to do so. But to enforce regular changes not only doesn’t help, it actually hinders security. The more frequently changes are required, the worse it gets.
This article draws, a bit indirectly, from a large-scale study of forced password changing, available at https://www.cs.unc.edu/~reiter/papers/2010/CCS.pdf though it is far from the only one, including this at http://people.scs.carleton.ca/~paulv/papers/expiration-authorcopy.pdf which provides a mathematical proof that frequent password changing is not worth the hassles and complications it causes. NIST in the US and CESG in the UK have advised against it in recent years because it is ineffective and counterproductive.
Athabasca University has recently implemented a new ‘frequent change’ policy that is patchily enforced across different systems. We need to rethink this. It is 1970s thinking based on a technician’s hunch, and the empirical evidence shows clearly that it is wrong.
In a perfect world we would find ways to do away with this outmoded and flaky approach to authentication, but the mainstream alternatives and even some more exotic methods are not that great. Most rely on something you have – typically a cellphone or fob device – as well as something you know, the same general principle as chip-and-pin (still one of the most effective authentication methods). I don’t mind having to do that for things that demand high security, and I use two-factor authentication where I can for accounts that I care about, but it’s a big pain. If we’re going to use passwords, though, they need to be good ones, and we should not be forced to change them unless they might have been compromised.