Interesting article from ZDNet. This is why I prefer a company specified and IT retained password for small organizations. It also means that IT support work can be done outside business hours so as not to impact on staff productivity:
Forcing users to change their passwords may do more harm than good: (ZDNet) http://www.zdnet.com/article/forcing-users-to-change-their-passwords-may-do-more-harm-than-good/
Further, Cranor notes that "There is also evidence from interview and survey studies to suggest that users who know they will have to change their password do not choose strong passwords to begin with and are more likely to write their passwords down."