The human element is the weakest link in security.
I find both forced password changes and most password strength rules to be utterly foolish. The way I see it, account security is the responsibility of the users themselves; all admins should do is try to instruct them in best practices. If they choose not to follow best practices in terms of password strength and not having passwords on publicly-visible sticky notes, then that's their fault and they should be held professional responsible for any breaches that occur as a result of their incompetence, just as if they forgot to lock the door to the building or arm the alarm on their way out.
Sure, having the same password for year after year after year is not necessarily a good thing, but I find it far more preferable for users to have a good, memorized password than have them either write one down because they had to change it, or call the helpdesk repeatedly because they don't remember what they changed it to. Either of the last two just result in security debacles, and don't really improve security at all.
no subject
I find both forced password changes and most password strength rules to be utterly foolish. The way I see it, account security is the responsibility of the users themselves; all admins should do is try to instruct them in best practices. If they choose not to follow best practices in terms of password strength and not having passwords on publicly-visible sticky notes, then that's their fault and they should be held professional responsible for any breaches that occur as a result of their incompetence, just as if they forgot to lock the door to the building or arm the alarm on their way out.
Sure, having the same password for year after year after year is not necessarily a good thing, but I find it far more preferable for users to have a good, memorized password than have them either write one down because they had to change it, or call the helpdesk repeatedly because they don't remember what they changed it to. Either of the last two just result in security debacles, and don't really improve security at all.