Suffice to say, the general policy in the places I've worked that have to comply with security guidelines from the government here in the UK is to have enforced password changes. That is good enough for me, regardless of what other advice I may be given here.

However, since this appears to be a bone of contention that is obviously causing people issues, I've turned off enforced password changes.