Forum OpenACS Q&A: Re: Interesting article on web based password protection
Maybe I'm missing something, but let's see, the user thought up a good, hard to break password, and carefully memorized it, so he never had to write it down anywhere and risk compromising security. Now what do you do? A few months later, you make him do it all again - you punish the user for his diligence.
IMO, that path leads right back to passwords on post-its and passwords like "foobar123". If you're lucky, the clever user will subvert your (hopefully simple-minded) password expiry scheme and simply alternate back and forth between two good secure passwords that he remembers.