Mandatory password changes never made any sense. It's especially terrible when systems don't allow users to re-use previous passwords.
It forces users to keep inventing new passwords which they can never remember, then they end up writing the passwords on post-it-notes and sticking them on their computer screens where everyone can see.
Same issue with forcing people to use special characters in their passwords; it makes people choose passwords that they can't remember.
I've used systems where the situation became so out of control that I literally had to go through the entire 'forgot your password' (reset password) flow every single time I wanted to log in. That was the fastest way for me to log into that service.
It forces users to keep inventing new passwords which they can never remember, then they end up writing the passwords on post-it-notes and sticking them on their computer screens where everyone can see.
Same issue with forcing people to use special characters in their passwords; it makes people choose passwords that they can't remember.
I've used systems where the situation became so out of control that I literally had to go through the entire 'forgot your password' (reset password) flow every single time I wanted to log in. That was the fastest way for me to log into that service.