The FTC actually recommends against organizations using regular password changing policies as it only encourages users to use simple, easy-to-remember passwords that they then only alter in predictable ways.