Paul Ducklin and Chester Wisniewski take a look at the thorny issue of imposing password rules and regulations, in this audio episode, entitled Busting Password Myths.   Their discussion considers:

When should you (be forced to) RESET your password?

Is forcing "COMPLEXITY" (length, nature of characters, case) in passwords necessarily a good idea?

Is it okay to REUSE the same password for different sites/applications?