Forcing users to regularly change passwords can result in less security.
By being forced to regularly change their password, users have to keep thinking up new passwords and remembering which is the current one. The result of this is that they start to use a formula to create their passwords, which means the security is actually reduced (particularly since once the formula is known, the next password to be generated will be known, effectively reducing the effectiveness of forcing the password change in the first place), or they use a password keeper (including being written on a piece of paper [could be despite being told not to]) in which case all their passwords are only as secure as the access to their password keeper.
(I am forced to regularly change my password for two systems I access, with the result that I am now using a formula for the passwords for those systems as I need to be able to remember the new password. I do use a password keeper (for other accounts), but that is only secure as the password which I use to access it - all the accounts stored therein are all effectively with the same password!)
Having said that, if it makes IT security people happy, then a user defined period between forced changes (allowing for an option of no forced change), by user and/or globally would be useful.
Just to point out:
Forcing users to regularly change passwords can result in less security.
By being forced to regularly change their password, users have to keep thinking up new passwords and remembering which is the current one. The result of this is that they start to use a formula to create their passwords, which means the security is actually reduced (particularly since once the formula is known, the next password to be generated will be known, effectively reducing the effectiveness of forcing the password change in the first place), or they use a password keeper (including being written on a piece of paper [could be despite being told not to]) in which case all their passwords are only as secure as the access to their password keeper.
(I am forced to regularly change my password for two systems I access, with the result that I am now using a formula for the passwords for those systems as I need to be able to remember the new password. I do use a password keeper (for other accounts), but that is only secure as the password which I use to access it - all the accounts stored therein are all effectively with the same password!)
Having said that, if it makes IT security people happy, then a user defined period between forced changes (allowing for an option of no forced change), by user and/or globally would be useful.