The real sad side about all this is most of the people who push the
frequent password change concept are pushing it for the system access password on the corporate networks where the data never goes outside the corporate network anyway, thus most of the options to intercept and collect the password aren't able to work as they don't have the access. It's often just some fools paranoia about passwords.
One military base I worked at we had a corporate network that wasn't linked to the Internet and the fellow responsible for base IT had the staff change their password each year just after the major tour of duty rotations. His replacement insisted on monthly changes. After three months I was able to crack 80% of the passwords by just entering abusive phrases as that's the only way the troops could remember the constantly changing passwords. After hearing about this the Base Commander issued a base policy of annual password changes. Password policy was always - password length 12 to 25 characters must have at least on capital and not as the first or last character and two numerals with one of them in a place other than either end. It was definitely complex enough all the time.
