First off, this image is absolutely appropriate. I'd love to use passphrases instead of my current 'pseudo-passphrase'.
Second, password change policies are ridiculous these days. SAS70 requirements, and to some extent, PCI requirements, are actually causing more security holes than needed. Let me explain:
Let's say for example, you have 5 common passwords for different things (I'd like to think most IT people follow this rule).
1) Email
2) Work Creds
3) Bank
4) Shopping (Amazon, Verified by Visa, Newegg, etc)
5) Throw away
My throwaway creds are just that. Throw away. If someone has access to that password it nets them very little usable information.
Email. If I start finding composed emails I didnt write. I can change all my email passwords and be done with it.
Bank. Chase has password requirements that don't fall in line with any password I've ever used since the beginning of time. I made up a new password for them years and years ago. Looking back, im kinda glad they suck since it forced me to use a different password for banking.
Shopping. It lets me login to my shopping sites, which store no credit card info, without wondering 'oh god what did i pick' and if someone were to get into an account, I can just change them all. No big deal.
The last one is work. It's fucking stupid what these security compliance companies have forced us into. I've worked in IT for almost a decade now, and the policy is archaic, based on a time when people used simple words for passwords. Most people nowadays know that 'password' is not a good password. Most auth systems wont allow you to use that password anyway. The reason these policies exist though, is quite unfortunate.
Even at a large tech-centric company you still have sales people that are fucking computer retards. "Oh cindy, I've never heard of her, but she's sending me a presentation. It's in a zip file...nothing strange about that...let me just uncompress and open this .exe power point." The more frustrating part is the default windows setting that 'hides extensions for known file types'. GREAT!!!!! Now people see a file named JUST presentation and not presentation.exe, and open it not realizing it's an executable, even if they're smart enough to know the difference.
In this SPECIFIC scenario. Password changes are required. Primarily to close any back doors created by the phisher. If all passwords in a database are expired, you've effectively removed their entry point, and forced them to start their phishing over again.
What I'd really like to see SAS do is allow you to have a secondary password strength test like 'length over 30 characters >= 8 character mixed type'. The reason being is that NO ONE now gens rainbow tables without the entire UTF-8 character set. And if they do, they at least have every character on the US keyboard.
So as Randall says, these days you're probably safer using a passphrase than a complicated difficult to remember password. You're just causing more stress to yourself and making your password easier to guess.