Good blog posting on password rules, with an interesting speculation on how one of them came about:

In summary, forcing periodic password changes given today’s resources
is unlikely to significantly reduce the overall threat – unless the password is immediately changed after each use. This is precisely the nature of one-time passwords or tokens, and these are clearly the better method to use for authentication, although they do introduce additional cost and, in some cases, increase the chance of certain forms of lost “password.”

So where did the “change passwords once a month” dictum come from?
Back in the days when people were using mainframes without networking, the biggest uncontrolled authentication concern was cracking. Resources, however, were limited. As best as I can find, some DoD contractors did some back-of-the-envelope calculation about how long it would take to run through all the possible passwords using their mainframe, and the result was several months. So, they (somewhat reasonably) set a password change period of 1 month as a means to defeat systematic cracking attempts. This was then enshrined in policy, which got published, and largely accepted by others over the years. As time went on, auditors began to look for this and ended up building it into their “best practice” that they expected. It also got written into several lists of security recommendations.

This is DESPITE the fact that any reasonable analysis shows that a
monthly password change has little or no end impact on improving
security! It is a “best practice” based on experience 30 years ago
with non-networked mainframes in a DoD environment – hardly a match for today’s systems, especially in academia!