Change passwords when there is a specific reason to do so.
Changing passwords whenever there is a specific reason to believe that there is an exposure is clearly a sensible idea. But if carried to extremes may be too expensive for the level of the exposure. This approach calls for knowing when an event has occurred and what systems may be affected by it. Examples of events causing obvious exposures include the movement of an employee from one job to another, a known computer break-in, or a change in key personnel. In each case, access in excess of that necessary for the users' job functions are caused by their ability to access accounts using known passwords. Figuring out which systems may be affected is somewhat complicated by interdependencies of systems and commonalities between systems. For example, if a file server password is exposed, it may affect all of the systems that use that file server. If the same user has access to multiple systems, they likely use the same or similar passwords on many of those systems and all of those systems are therefore exposed. There are many other similar examples.
Change passwords at convenient system changeover times.
There is nothing inherently wrong with this practice, and indeed all new systems should have all user passwords initially set to non-default values. But this does not address the other exposure issues and is thus of limited value.
Change passwords at regular intervals.
This is recommended by most security standards and thus widely accepted. There are, however, some problems with changing passwords at regular intervals. Some of the major problems include:
The basic reason to change a password is that the password in question may be known to an unauthorized user. The period of time between when an unauthorized user knows a password and when the password is changed represents a period of exposure to attack. The goal of password changes is to reduce this exposure. It is also important to consider that a fairly short exposure period can cause high consequences. In many cases, within seconds to minutes of an initial break-in, "back doors" are put in place to allow reentry to the system even if the passwords are changed. For this reason, simply changing passwords may not be an effective action when an exposure occurs.