Thanks for the reply Aardpsymon,

In theory, I can see how password expiration could thwart brute force attacks over time, but that assumes the passwords markedly change over time rather than the "recycling" that often occurs of appending numbers to old passwords. Once a password file is cracked offline, it would be evident which passwords are cyclical and which are not.

Furthermore, if expiring passwords add that much more value to application security, why do some of the most sensitive applications on the internet (online banking, paypal, ebay) not have expiring passwords?

I've done a bit of googling since first posting, but all I've found on the subject in regards to a quantitative study of the policy is this paper: http://www.smat.us/sanity/expharmful.html. Not exactly an industry or academic source however.