How often should passwords change?

The brute force attack can be described as such: the attacker tries a lot of random potential passwords, until the right one is found. Forcing a password change for the user, i.e. changing from one potential password to another, does not substantially lower the success rate of the attacker (indeed, it changes anything only if the spaceof possible passwords is so small that the attacker can explore it exaustively -- and this means that you have a bigger problem, which is that your users choose very weak passwords). It is a widespread, but wrong belief that password changes somehow "restore security".

What may make sense is to disable accounts which are the target of a brute force attack, indicated by a lot of failed attempts. But this kind of locking feature can backfire: it allows anybody to lock the account of anybody else, which can turn into a big helpdesk problem.

Correspondingly, there is no need for you to change your cellphone provider password because it is old. Change your password if it is weak, but weakness does not grow over time; it is there right from day 1.

1. When your users are humans, forcing regular password changes doesn't necessarily increase security.
   See the FTC post "Time to rethink mandatory password changes" by Chief Technologist Lorrie Cranor, based on research about how humans actually use these systems. (Washington Post coverage here.)
2. When you are the user, you should change your password more frequently than the expected mean frequency of when the password is compromised by a hack on the data store or any other method by which someone might obtain your password. This is a longer time (lower frequency) if your passwords are unique than if you reuse passwords (because there's a wider variety of ways a frequently reused password might be compromised). If you have any special reason to believe that a password has been recently compromised, that's a good time to change it too; otherwise you're relying on your own estimates of the security of that access control.

I have to disagree with Tom on "there is no need to change your password because it is old...".

In and of itself, that is reasonably true, however the pragmatics of real life interfere with theory and make that not so true. Since we are oftentimes asked to enter our passwords in many different environments and places - some of which we do not always control, it is my opinion that having good password changing schedules is a policy that should be in place and is a peer policy to strength.

There is too much of a possibility for 1 time a password is entered in a compromised environment and it is captured, or (as I often see it), an admin is given (for a momentary purpose, but they keep it around) a password to accomplish a task while someone is travelling... or some other reason like that. Without password change schedules in effect, you have no way of re-baselining the risk associated with these spurious and random events.