On Riley On Spaf.
Steve Riley has some good comments (okay, he simply says "I like this a lot") on Eugene Spafford's blog entry about Security Myths and Passwords. [In this, and any other discussion, remember that "password" actually means "sequence of characters, potentially including space, that are easy to remember but difficult to guess" - others use "passphrase" to indicate that added typing may increase entropy; I like to remember that "The quick brown fox jumps over the lazy dog" is easier to guess than "a*3m.!Z└"]
Now here's my comments - and this is mostly "Devils' Advocate".
It's been long known by managers that if it's secure to ask for an eight-letter password and renew every thirty days, it must be even more secure to ask for a thirty-letter password and renew every eight days.
The rest of the world knows that when you do that, the password becomes "I hate my expletive-deleted boss", followed by "I hate my expletive-deleted boss1" and so on.
If one of these sequential passwords becomes compromised, of course, they're all compromised.
But the flip-side is that if you are encouraged to create one password, and keep it with you for all eternity, you will use the same password at your next job as you did at your last job.
Will your next job appreciate that the password you're using is known by the keylogger at your last job, or the SQL-based app that stores your password rather than a hash, or the reversibly-encrypted password store on the IIS server?
Oh, and then the old job's site gets hacked, and your password is now widely known by the community of malfeasants.
You and I, we'll think to use a different password for a different job / system. Maybe.
The average information worker, though, will choose to stick with one password, if possible, and will use it everywhere - for business, for banking, for purchasing dancing pigs barbecue sauce, etc.
There is a valid purpose to requiring password change - if I still used today the eight-letter password Unix used to enforce as a maximum (because it couldn't hash any more than the first eight letters you typed), I wouldn't match today's password complexity requirements - and when the password complexity requirements change, you can't go trolling through your existing password database looking for passwords that don't comply. You have to apply the password complexity filter, and then figure out when to start requiring people to change their passwords.
My password at work has to change every ninety days - and I will admit that it's annoying to have to change it even that frequently. I write my new password down on a piece of paper, and store it with my other important and valuable pieces of paper in a special device I like to call a "wallet". Rarely-used passwords I store with other high-value pieces of paper in another device called a "safe", with copies in a special place called a "vault" at a local secured facility called a "bank".
I see it as a valuable practice to change my password occasionally, simply so that I don't remain with a password that may have been compromised. How frequently to change it, that depends on the security of the data I want to protect. Currently, my job includes protecting the secrecy of Bill Gates' medical information, among a few hundred thousand others, so it's kind of important that I get it right.