HBGary isn't anywhere near the only company to have security holes like this open. It's just worse because they're a security company and they happened to piss off Anonymous.
Getting employees or users not to reuse passwords is probably the hardest thing to do.
Mammoth global corporations use passwords like 'P@55w0rd' on production systems and open servers not blocked by a firewall that store product-code and build systems. This type of 'best practice failure' occurs everywhere.
For most, its like flossing every day. You know you should... but do you?
One point in favor of requiring ssh keys for external access is that the users don't get to blow it on passwords. Though it does require sysadmin staff who are willing to walk users through the process of creating the keys --- and stubborn enough to explain that this is the procedure until following it becomes the path of least resistance.
Also, passwords are compromised much more often than keys. To get someone's SSH key you have to have access to their local workstation, which is probably going to be more troublesome than access to a colo'd server, if for no other reason than most workstations go to sleep after they've been inactive for a while (there are other reasons, though).
Also, changing keys isn't that hard. You just re-run ssh-keygen and delete the old key from authorized_keys and replace it with the new one.
replacing the private key is the hard part. it's the kind of thing where you don't discover that the new private key for your server isn't on your backup laptop until you need to login and don't have access to a system with they key.
That's not a technical problem tho', it's social/organizational. If you make passwords too complex and change too often and enforce it in software, you simply encourage people to write them down, save them in the browser, etc. Or people will be phoning the helpdesk every day to get a reset, and security as a whole will be discredited as a waste of time. NOTE: I'm not saying that it is a waste of time, but the best policies in the world are of no help if people simply refuse to follow them.
The truth is passwords are not like toothbrushes - they don't actually need replacing every three months. Only if some event has occurred (e.g. a sysadmin leaving the company). They don't get weaker over time. Why not let someone keep the same decently strong password for as long as they're an employee? I guarantee this will be actually more secure.
Passwords do get weaker all the time, to the extent that they are used in multiple places. Changing the password on different systems on different schedules discourages password reuse. It also means the 'active' password is much less likely to be the password the employee used on a random news site they logged into once to comment.
There is obviously a balance to be had, because frequent rotations may encourage people to choose weaker passwords, but there is certainly value in expiring passwords.
Changing the password on different systems on different schedules discourages password reuse.
But it doesn't, it really doesn't. It just results in people buttonholing sysadmins in the corridor asking "when are you going to stop dicking around and implement SSO?". Not long after that, people just start ignoring security advice altogether.
You are right about reuse across multiple internal systems not being strongly discouraged.
Where it does discourage reuse is across multiple systems, and with websites. Making me change my corporate password every 90 days is an effective way to ensure that I don't use my current password across a large number of websites. Maybe I'd go to the effort of making my gmail password the same as my corporate password. The password on that random news site account I forgot about? No ways.
It's not a panacea, but password expiry does effectively limit the spread of passwords in many cases.
Your last paragraph actually has a very good point - why do companies insist on changing the employee passwords every month? Chances are, if somebody got hold of your password, he/she is not going to wait a month before using that knowledge, right? So, really, I'm curious as to why most companies have this policy.
Passwords historically got weaker over time, but not in the sense that 'if he got your password hes not going to wait to use it'. They weaken in their hashed form. It used to be (still is, really) trivial to score the passwd file of a system, and get all the hashes of passwords, but no plaintext.
By changing passwords every N months, you eliminated the ability of someone to crack the hashes and obtain a cleartext password where they previously only had a hash.
That time window has gotten absurdly short, however...and with Pass the Hash and MITM, I don't even need your password anymore :(
Getting employees or users not to reuse passwords is probably the hardest thing to do.
Also, Ars' coverage of this story has been great.