The problem
I regularly have a debate with my CTO which usually begins something like this ...
CTO: My password expired, that should never happen.
Me : It's a security risk to never expire passwords.
CTO: It's a security risk to force passwords to be reset because users have bad habits.
Me : Yes but the security is in the user not the system, enforcing password expiry ensures the system is secure in the event of an unknown breach of the userbase.
This raises an interesting question that neither of us primarily not being a system administrator but being a position that we need to apply a policy to this effect don't really agree on what the right answer should be.
My standing
The system is more secure if you force all users to change their passwords in X amount of time where X is computed by determining the algorithm strength used to protect the password and an estimated time to break (with brute force) the raw value back in to the original password.
CTO's Standing
The act of forcing users to change their passwords all the time results in patterns / ****123 "like" patterns over time or users write passwords down meaning the users "bad habit" is more of a risk to the system than the data being compromised in some more technical manner (e.g. through brute forcing).
So I would like to know
Is there some way I can prove either way weather or not we should enforce a password reset policy based on some industry best practice?
OR
Is one of us just plain wrong?