It doesn’t really make a whole lot of sense to begin with, why would you need to change and reset a password if it hasn’t been hacked?!
The Chief technologist at the FTC says that changing your password often is not required and that forces then user to select weaker passwords, As they can easily remember them.
Changing often means weaker passwords
Being forced into changing your password every month is frustrating, you need to come up with a new one and on systems that don’t have auto fill or remember functions creating an easy to use password is often the result.
I have to experience it and yes the passwords i change and reset are just a simple changing of order so i can remember it. A big problem is not being able to use any of the past 5 passwords.
It is annoying but also sets precedence that why should i set a strong password when i will be changing it in a months time?
That is another issue with this whole practice. Not only are users forced to change passwords often but old ones are still being stored obviously, hopefully hashed. Its a funny situation which seems like it needs a big rethink.
From secure to questionable
Online there are many sources and articles claiming that frequent changes are bad, Mostly stemming around the FTC release. Its not only just a thought but rather some decent output to suggest its a pointless exercise.
One can argue bad UIX having to change passwords often as it slows down the user, one can also argue that the whole principle of often password changes needs to be changed itself.