The problem with changing the login password on your computer is that it takes a while to not key in the old one when you first sit down. Even a longer password is largely typed on automatic on systems that are regularly used. Would it be better to never change it? Probably not, although I am glad that thinking on the matter is largely shifted away from suggesting there is a benefit in changing in a short period, like 90 days.
For systems in regular use, about once a year isn’t too bad, allowing you to keep your password up to scratch, avoiding becoming too rusty in the process of how to change it and preventing it becoming too deeply ingrained. I can still remember the phone number, including dialling code, from when I was growing up, while I’d struggle to recall the number of the place I lived at for ten or so years in Lewisham (0208… but that applies to anywhere in Greater London). If you only changed your password when you got a new machine or even when thought it might have been breached, it would take more than a few days to get past that autotyping response!
By they way, my summary of current best practice is that it is better to think of passphrases than passwords. The critical factor is length, for which I’d suggest at least 16 characters. I think people are getting the hang of this. When I started doing InfoSec induction sessions at work about 2.5 years ago, people would balk when I suggested 15+ characters but now I rarely get the dropped jaw look even though I’m now advocating 16+. You’ll need to run several words together, preferably with favourite spelling mistakes, foreign additions, playful shortenings and perhaps a few numbers and special characters that make sense to you.
There is more that could be said but, for now, just remember longer is better. And, as you can see, I did manage to log in this morning with my new passphrase!