I don't understand having a policy which requires people to change their password every couple months. We have that kind of policy at work and I don't quite get the reasoning behind it.
If someone guesses your password, changing it isn't going to defeat them. The damage is already done. If someone is trying to guess your password, again changing it doesn't necessarily help. Imagine someone doing a dictionary-based attack and trying a million passwords one after another. If you change your password to something they already guessed, then they will finish their attack unsuccessfully and will have to start all over, which is good. However if you change it to something they haven't guessed, they may actually end up guessing your password sooner than they would have, depending on where in the remaining list of passwords you jump to. Worst case scenario is they still guess it, but it takes a bit more time. And what are the chances of changing your password right in the middle of being attacked in this way? This is so stupid that I don't think it's an actual justification, but it's the first thing that came to mind.
There's an argument to be made that accounts should "expire" after a certain amount of time, and forcing you to change your password every couple months prevents old, still-active but unused accounts from accumulating. If an old inactive account is compromised, a malicious user could possibly use the account for an extended period of time without anyone noticing (since no authorized user is using the account on a regular basis). This is my best guess as to the rationale for this policy. But it seems to me that this policy could be implemented just as easily by checking the date an account was last logged on. If I use my account every single day (which I do) I shouldn't have to change my password for this reason.
In practice, forcing people to change their passwords all the time ends up being counter-productive, in my opinion. People can't remember one password, let alone multiple passwords due to changes over time. So everyone thinks of a password, slaps a number on the end, and rotates the password by changing the number. Or something similar. At the very least, I think an argument can be made that the more often you have to think of a password, the less likely you are to think of a GOOD password. If it's a hassle to constantly change it (which I think it is), people will pick short, easy passwords, which is bad. Either that, or people will resort to the infamous "sticky note on the monitor" trick.
I pretty much never change my password on my home computer, unless I do something stupid and think I may have compromised myself. Maybe this is dumb, but I can't see a need for it.