It's an interesting issue. In my experience "stale" passwords are rarely used to compromise systems. However, passwords tend to end up on sticky notes and even worse, in email databases regardless. As far as compromised email passwords, they seem to mostly come from infected clients and insecure public logins as far as I can tell. A server can control the later, but not the former.
I know of a major accounting software that forces Admin users to change their passwords every few months under certain circumstances. Those passwords always end up in emails to fellow users, so in that case forcing people to change seems to be definitely counterproductive. IMV the moral of the story is that you can't crypt your way into a 100% secure world. You need other forms of checks & reconciliations that are disjoint from purely cryptographic infrastructure. For instance ask Mt. Gox and Bitcoin if they agree in hindsight, and Heartbleed is a very good example of this concept. Thanks, Jake On 4/9/2014 10:27 AM, Reindl Harald wrote: "change passwords from time to time is always clever" is a strawmans argument with no context to the issue, forcing people to change their passwords all the time for no good reasons leads mostly to completly insecured passwords to remember them easier or have them on a sticky on the screen or under the keyboard the word "counterproductive" describes that policies perfectly
