I do not require passwords to be changed on a schedule in my application for a simple reason: it makes remembering passwords harder and is thus more likely to lead people to write them down somewhere or otherwise use an unsafe memory aid.
What arguments are there to the contrary? Why would forcing someone to change a password that no one else knows make it more secure?
Note: since this is open to opinion and debate, I’m marking it as a community wiki. It is, however, centrally a technology concern so I think it reasonable to post here.
How do you know no-one else knows it? The risk is not so much when you realise someone else knows your password, its when you assume no one else knows it, but they do.
The principle is that it limits the exposure period if a password is compromised.
If that compromised password can float around for ever, then the systme is compromised for ever.
By forcing password changes every 30/90 days, to a password that hasn’t been used before, you are ensuring that if a password is compromised, it will be secure again no later than that period.
That being said – I hate it when I have to change my password after 30 days, and even when it was increased to 90 days still hated it.