I hate policies that say that users have to change passwords periodically because that way the system is "more secure". Bruce Schneier has discussed this a few times in Crypto-Gram. I also like this recent post on Slashdot by dangermouse:
That is the single most hare-brained bit of common security "wisdom" in the world.
Years ago, I picked a password that's random as hell and was very difficult to remember. No password cracker– dictionary *or* brute force– has broken it yet. I use this password on about ten systems.
If I changed those passwords on a regular basis, I'd have to come up with something easier to remember to make up for the decreased learning time. That would likely make my password less secure.
I keep running into admins who– by hook or by crook– make their users change passwords periodically. The result? Passwords on Post-It notes; passwords that are the names of pets or wives or firstborn children; sets of passwords that are absurdly simple and that get cycled through.
If they had just let the users keep their original passwords and run a cracker against the shadow file to turn up the overly simple ones, their systems would be a lot more secure. But somebody told them changing passwords frequently was a good idea, and by god their users are going to change passwords frequently.