Few things are more annoying than passwords. In theory, they’re fantastic. You keep a secret locked away in your super-computer-brain, and nobody else knows what it is, then you use that secret to prove that you’re who you say you are. Brilliant.
Except that, in reality, passwords are beset by several tough problems. First and foremost, you don’t have any control over what the website you plug your password into does with it, so using the same password for everything is foolish. That means that instead of having to remember one password, you have to remember a bunch of them and what services and websites they match up with. Don’t write them down, either, or someone with physical access to your space could steal them!
Those are all problems with passwords before individual sites get into the mix with their own restrictions. Some of these make sense; it’s almost pointless to have a two-character password, after all. Others of them are just silly: why should there be a limit on how long the password can be? Or what characters I can put into it? Then we have the myriad restrictions on how complex the password can be and how often you can repeat them.
The first group of problems are all going to be around for as long as we have passwords, but when it comes to the problem of users having too simple a password, there’s a painfully simple solution: base the expiration date of a password on how strong it is.