The problem is that this doesn’t take into account the inconvenience to users  - the ‘usability costs’ - of forcing users to frequently change their passwords. The majority of password policies force us to use passwords that we find hard to remember. Our passwords have to be as long as possible and as ‘random’ as possible. And while we can manage this for a handful of passwords, we can’t do this for the dozens of passwords we now use in our online lives.

To make matters worse, most password policies insist that we have to keep changing them. And when forced to change one, the chances are that the new password will be similar to the old one.