Loved this article (click through) about the impact of regular password changes on businesses.
Big enterprises that force their workers to change their access passwords on a regular basis, and adhere to complex rules when they do, might be their own worst enemy.
The presumption of most security policies is that changing passwords increases security, which is not strictly the case in my view. Most of the time, forced password changes result in written down passwords or easily guessed repeat passwords, or even trying to beat the strict rules that are required (like ‘must contain a number, a letter and at least one upper case letter). All this does this is give a crib to breaking the system. The other thing to say is that password changes like this assume that the password is guessable, you have been overlooked or that the system is insecure (like when you used telnet which sends passwords in the clear). Now with strong encryption, good personal security/awareness and a good sound none-word password, then the need for changes should be more based on education of staff to understand password changing in response to insecure behaviour instead. Like being overlooked, a security weakness being identified etc.
At least that is my view, what is yours?