Rotating (or required change) on some circumstantial criterion (the old password is know or suspected to be compromised, system update, etc.) is entirely valid.
Forced scheduled frequent password updates are not and worsen rather than improve security. That's the point here.
In environments in which data leakage probability is high, and detection capabilities poor, periodic password changes are a defensible risk-mitigation measure, though in practice unless new tokens are themselves robust, the practice backfires. The problem is that both sides of the risk calculus need to be considered --- compromised token validity period, and token strength. People being people, the first is actually the safer risk to take.
Forced scheduled frequent password updates are not and worsen rather than improve security. That's the point here.
In environments in which data leakage probability is high, and detection capabilities poor, periodic password changes are a defensible risk-mitigation measure, though in practice unless new tokens are themselves robust, the practice backfires. The problem is that both sides of the risk calculus need to be considered --- compromised token validity period, and token strength. People being people, the first is actually the safer risk to take.