Here is a piece which argues that changing passwords on a periodic basis is no longer effective. I dislike the article not for its position but for the assumptions underlying the author's arguments. Example: He argues that passwords can be quickly cracked by various modern day programs. He assumes that the attacker already has custody of your password file. If that's the case, you have other problems too. With sufficient layered defenses, this wouldn't be the case.
It all boils back to deciding on what you need to do to adequately protect (there's no 100% solution) whatever it is you're protecting.