A 30 day password expiration policy sounds great on paper but we have it in place. From what I have seen, it promotes weaker passwords and insecure habits. No sooner do they have the new one memorized when they have to change it again. People resort to using weaker passwords (a word with an incremented number at the end) or writing their passwords down.