Yeah, but how much less secure is my strong password after a year, compared to after 3 months? Is 3 months some sort of optimized compromise between how often hackers get access to my mid-sized engineering consulting company's password list and how often I need to enter my password? Or is it some arbitrary bullshit thing that makes upper management feel better, as per TSA theater at the airport?
How less secure it is after a year compared to 3 months depends entirely on how often you re-use that password, because the more it is reused and the more time as passed, the likelier that the password has been stolen from a hacked website on which you used it. Once that happens, all your other accounts using the same password are highly vulnerable.
A lock on your door won't keep burglars out. It will just make the door a more difficult entry point than, say, breaking a window or cutting through a wall. Perhaps it will make the burglars decide that your neighbor's house is an easier target than yours.
There are various ways a hacker may gain access to my accounts. But if and when they do, it won't be by guessing my passwords, because those are more difficult to guess than other ways over which I have no control. As long as nobody has come close to guessing my password, there is no good reason to force me to change it.
The site operator has no way of knowing how frequently you re-use your passwords, so they have to make some assumptions that suit the average person (who re-uses them frequently).
Note also that standard good procedure for web sites is to block access entirely after a specific number of failed attempts. So a hacker can only try three or four, or maybe at most ten guesses before the account is locked and I am notified. If I was not the one who was trying wrong passwords (because I forgot mine) then the alert will let me know that something is going on. And even then, changing the password is not necessarily the best choice, since the hacker didn't get in.
That's not how large-scale attacks work. They work by compromising the service and stealing the database of hashed and salted passwords (pray that they are at least hashed and salted!) They can then run unconstrained offline attacks on these databases using dictionaries and, if they manage to find the salt, rainbow tables. Then, once they've obtained your password through an offline attack, they will use it to log in.
Again, I don't use guessable passwords.
If it's 10 characters or less and contains any dictionary words, it probably wouldn't last very long against an offline attack.
It would be much easier for someone to bribe a banker into turning over my social security number and then calling the bank and pretending to be me, as a reporter did with a friend of his (with permission) to show how easy it is to hijack someone's account using information about them that's easily available.
Not if you live in another country, it probably isn't.
Strong passwords are not the weak link in account security. The problem with passwords is just the people who use weak ones, or who don't even bother to change the default password. And even then, social engineering is probably responsible for more hacked accounts than anything to do with passwords.
Not a chance. Social engineering might possibly be responsible for more targeted
hacked accounts than weak passwords (or reset questions) but mass offline attacks on stolen password databases are by far the most prolific source of stolen usernames and passwords. It's not even close. Strong passwords help protect against this, but the older they are the greater the likelihood they have been cracked or stolen.