Over the past few years there has been a lot of discussion and research on the weakness of password use.  Should passwords be changed on a periodic basis?  What's the best compromise on complexity requirements and one's ability to memorize the password?  Is single sign on too risky? Are passwords even effective at all?  The arguments, and proponents or opponents for each, can be found everywhere.

Being the rational, level headed guy I am, I like to look at each scenario from a risk based perspective.  You really have to consider the vulnerability and threat and pick a proper control to address the specific risk identified.  In some cases you'll pick multiple controls to address multiple risks.

Will changing passwords every 90 days stop a phishing attack? No. End user training should address this risk. Will it stop a brute force attack? No.  Complex passwords should address this risk.  What it does address is the length of exposure from a compromised account. Will a savvy attacker create a new account to use so that when the compromised password is changed they still have access?  Yes.  Hopefully someone is reviewing the creation of new accounts via event monitoring and will identify the attacker's newly created account though.

The truth is, no security control is perfect.  They are designed to address risk, a specific threat against a specific vulnerability.  The lesson is to only use the controls which address risks which concern you.  So when deciding to use passwords, determine first your risks, and then choose the controls which minimize the risks you're most concerned with.