I found this article at the Center for Education and Research in Information Assurance and Security about Security Myths and Passwords. It articulates why forcing users to change there password every month is not an effective security measure.
This is DESPITE the fact that any reasonable analysis shows that a monthly password change has little or no end impact on improving security! It is a “best practice†based on experience 30 years ago with non-networked mainframes in a DoD environment — hardly a match for today’s systems, especially in academia!