Keeping a password written down (in your wallet, in your desk, etc) is probably safer than you'd think, because people generally know how to secure physical items, but they're much less certain about how to secure digital information.
I think it's obvious that expiring passwords increases security to some degree. It's also clear that user reactions will induce people to reduce the security of those passwords. The password expiry interval you choose (potentially as long as the duration of the system's existence) depends on your threat model, really. Security is hard and often application-specific.
I think it's obvious that expiring passwords increases security to some degree. It's also clear that user reactions will induce people to reduce the security of those passwords. The password expiry interval you choose (potentially as long as the duration of the system's existence) depends on your threat model, really. Security is hard and often application-specific.