It seems to me that the only reason someone would tell a user that they must change their password is because the company, organization or whatever has had their files hacked and passwords of users were or possible were, compromised because of the company/organization’s lack of proper security and contorl over they system they run/service.

And I know it’s considered good practice to force password changes, but I’m not convinced:
- if a password is a secret, then its efficacy does not deteriorate with time
- if the secrecy of a password can be broken after the lifetime of the password, then it can be broken within the lifetime of the password
- if a password is no longer a secret, then the new one will escape in the same way as before

For forced password changes to be effective, passwords would need to be changed at every login or every day to mitigate the risks, but that is impractical.

Furthermore, users get to know their passwords. Change it and they’ll have a hard time remembering the new one – they therefore either write it down (reducing secrecy), or make their new password a minor variant of the previous (leaving it easy to guess), effectively negating the purpose of changing passwords. Or worse, they attempt to memorise it, fail, and then have to keep contacting you to get it changed.

Passwords are flawed, and forcing them to be changed skims over the true issues and just introduces new problems. If the account is worth protecting, use two-factor authentication; otherwise enforce strong passwords, take steps to defend against brute force and dictionary attacks, make users aware of the dangers, and take no further responsibility for account security.

Wow, I wrote an essay! Does any of that make sense, or have I overlooked something obvious?