Sure it does. A lot of people re-use passwords with different services, so if one gets compromised, then criminals have that password.
On top of it, people get compromised all the time. Its trivial for a virus to nab your saved browser passwords. Or someone sends you a phishing link and you happily type in your credentials. It looked official, right?
All of this is invisible to the end user, typically. From the IT side of things these credentials are used for all sorts of things like authenticating with smtp to use our mail server to send spam, log into ftp sites to host malware, etc, etc. Then the end user angrily walks up to IT saying, "Everyone is saying my emails are spam. Why do you guys suck so much??!!"
Forcing password rotation helps with this because there's a chance the password that got leaked is or will soon be retired. It also helps in scenarios when employees give their passwords out to other employees and then one of them gets fired and starts fucking with the system using someone else's credentials.
In short, a lot of these polities exist because people are stupid. Don't blame those of us trying to mitigate the damage. That said, you don't need a 30 day expiration. I find 120-180 days works well enough. You don't need complexity turned on as much as you need a sane minimum length. I'd rather train people to use "mydogsnameisAlbert" than "Password1"
If you rotate passwords every month, your users will be annoyed and use password that are either trivial, will write it down passwords, or have a trivial variation from month to month.
In other words, they will resort to using less-secure passwords. The notion that rotating passwords improves security is little more than a cargo-cult.
Keeping a password written down (in your wallet, in your desk, etc) is probably safer than you'd think, because people generally know how to secure physical items, but they're much less certain about how to secure digital information.
I think it's obvious that expiring passwords increases security to some degree. It's also clear that user reactions will induce people to reduce the security of those passwords. The password expiry interval you choose (potentially as long as the duration of the system's existence) depends on your threat model, really. Security is hard and often application-specific.
On top of it, people get compromised all the time. Its trivial for a virus to nab your saved browser passwords. Or someone sends you a phishing link and you happily type in your credentials. It looked official, right?
All of this is invisible to the end user, typically. From the IT side of things these credentials are used for all sorts of things like authenticating with smtp to use our mail server to send spam, log into ftp sites to host malware, etc, etc. Then the end user angrily walks up to IT saying, "Everyone is saying my emails are spam. Why do you guys suck so much??!!"
Forcing password rotation helps with this because there's a chance the password that got leaked is or will soon be retired. It also helps in scenarios when employees give their passwords out to other employees and then one of them gets fired and starts fucking with the system using someone else's credentials.
In short, a lot of these polities exist because people are stupid. Don't blame those of us trying to mitigate the damage. That said, you don't need a 30 day expiration. I find 120-180 days works well enough. You don't need complexity turned on as much as you need a sane minimum length. I'd rather train people to use "mydogsnameisAlbert" than "Password1"