My online banking site wants me to change my password every couple of months. No wonder the password now looks like Blahblahblah16 (not literally “Blahblahblah”, don’t worry), and it isn’t too hard to guess it will be Blahblahblah17 next time they make me change it.
Theoretically, changing password from time to time should make my banking more secure: if someone finds out what my password is, he won’t be able to use it forever (not a big win, by the way, but that’s another story). Practically though, this does not work, because not all passwords are created equal, and the more you make me change them, the more predictable they tend to be.
If you make people do what they don’t want to do, they will try to cheat and avoid actually doing it. Here, I add numbers to my “base” password. Some systems prevent this by forcing your new password to be significantly different from the previous one. But people are smarter than machines, they will find a loophole. For example, I could have used two strong and very different passwords and switch between them every time it asks me. Disallow this, and I will come up with strong, original, completely non-repeating and nonsensical password every time — and write it down on a sheet of paper.