I’m not asking you to take my word for it. In fact, don’t listen to me at all. Listen to science.
Anyway, yes, we know. There’s not a lot we can do about it though, thanks to silly PCI requirements and auditor requirements. They literally fail you if you *don’t* enforce a password change mechanism.
Via corenominal, who you should probably follow