Checking for strong passwords sounds good, but I never understood the
attraction of expiring passwords.
Maybe I'm missing something, but let's see, the user thought up a
good, hard to break password, and carefully memorized it, so he never
had to write it down anywhere and risk compromising security. Now
what do you do? A few months later, you make him do it all
again - you punish the user for his diligence.
IMO, that path leads right back to passwords on post-its and passwords
like "foobar123". If you're lucky, the clever user will subvert your
(hopefully simple-minded) password expiry scheme and simply alternate
back and forth between two good secure passwords that he remembers.
