Is there a security benefit to a regular changing password policy?
Solution 1:
Here is a different take from the SANS diary:
Password rules: Change them every 25 years
There is one practical benefit. If someone has your password, and all they want is to read your email and remain undetected, they can do so forever, unless you eventually change your sign-in secret. Thus, regularly changing the password doesn't help much against someone breaking in and making it off with your goods, but it DOES give you a chance to shake off any stalkers or snoopers you might have accessing your account. Yes, this is good. But whether this benefit alone is worth the hassle and mentioned disadvantages of forcing users to change their password every 90 days, I have my doubts.
Solution 2:
Force a password change when you guess it (by running a password guessing program on all your users all the time).
It's hard to argue with "you have to change your password" when the answer to "why?" is "because we were able to guess it blind". It automatically rewards those who choose difficult to guess passwords, and teaches your users what passwords are weak. If they choose "password1", it will expire before they can log in once. If a user chooses a 16 character, random, mixed-case, alphanumeric password, you'll never guess it -- and neither will anyone else. Let 'em keep it a very long time, and they'll even be able to memorize it.