I've found in several cases, forcing users to change their password on a regular basis becomes more of a strain on maintenance rather than a help for security. Also, I've seen users write their new passwords down since they either don't get enough time to remember their passwords and can't be bothered re-learning another one.
What security benefit is there for forcing a change in passwords?
Best Answer
Here is a different take from the SANS diary:
Password rules: Change them every 25 years