What if...
What if an employee works for a company for 5 years, on day 1, they create an uber secure password and they never change it. Through any number of different methods (crack the DB, social engineering, malware, lucky guess, extortion, etc.) someone manages to get the password after 3 years. Now the cracker is golden and has an account of a password that is good for at least 2 years in this case. They can then use this for other attacks and get more passwords for users that might be around for the next 10 years. Technology and security implementations continue to change and after a few years that uber secure password may just be a good password over time. Having a user change the password every week is one extreme, never require a password change is the other extreme. I believe somewhere in between these extremes there is a balancing point where having users change passwords is beneficial for security. Of course you can choose any policy that you feel comfortable with.
