Onto the second rule – regularly changing the password. Let me first say that this is a rule I hate. Not only does it not meet the goal of protecting an account, it actually makes things worse when combined with the first rule. Let me explain.
The reaction most users have when you tell them their password has to be (for example) at least 8 characters long and contain uppercase, lowercase, and numbers is not entirely positive. It’s not always easy to think of a password that meets all of these requirements as well as the unspoken one; you have to remember it. For obvious reasons, unless they’re instructed otherwise most people will choose something easy to remember like their surname followed by their birthday. It meets the requirements and they can remember it. To combat this, sensible administrators will explain how important it is that the password can’t be guessed and encourage another method of choosing a password. They might suggest turning a sentence into a string of characters. For example, the sentence “I’m going to try to remember this password” could become “ImG2t2RthP@ss”. That’s a pretty good password – it meets all the rules, it looks very random, it will survive a dictionary attack, and most importantly it can be remembered. Basically, it’s going to take a very long brute-force attack to guess.
Now, what if they know they’ll have to choose a new one to remember every month? Are they going to pick a hard password then? I’d suggest that it’s far less likely that they’ll go through this process of turning a sentence into a password every month. Even though it’s easier to remember than a random string of characters, it’s won’t stick instantly. It might take them a few days before they can type it without thinking. And if they have to do this every 30 days, it becomes that much harder to properly cement it in.
This is so true, and it doesn't even list all the other ways users 'game' a pword system that annoys them.