Hello,

After seeing my 4th application/network password expire in as many days, it made me wonder what the quantitative trade-off/ benefit to having password lifetimes is. And if there is such a security benefit, why don't all password protected services require password lifetimes? Also, do people tend to pick "easier" or similar passwords if they know the password will expire in the near future? And if they do tend to pick "easier" or "guessable" passwords, how does this affect application security in relation to the expiration requirement?

Just curious if anyone has some thoughts on this issue, or even better - studies that document the trade-offs and quantitative benefits of these password requirements. I have a theory as to why only certain services/applications require password expiration mechanisms but I'll leave it out until I hear from some more informed opinions...

Thank you in advance.