I love that the British GCHQ has finally realized that changing passwords regularly is actually bad policy, and increases risks. It is quite simple: remembering good passwords is work, and you are better off if you put the effort into remembering a few complex, unguessable passwords, instead of creating many weak, changing passwords.