In many large bureaucracies these days, it is fashionable to have a policy which requires changing passwords every x days (which is often referred to as password aging). Typically these are every 90 days or so, but examples have ranged from as little as 10 to a year or more. These policies are typically applied in a blanket fashion to all systems.
This is a mistake for two reasons:
In fact, what this nets out to is the issue of stability. I have always believed that for a software system to become useful, it has to become stable — which means changing it as little as possible. Password data, in the same way as the source code of the system, is susceptible to this. When people have stable passwords, they know the system should work. They won't have to suffer the pain of a system which locks them out once again because they forgot their password, and they won't have to contact the helpdesk to have it reset. They are also more likely to take the risk of using more complex, and thus harder-to-crack, passwords. In short, this makes the system more secure, not less.
I welcome your opinions.