I think you're missing my key point: you have to compare two different risks, based on observation. The first risk is the risk of continuing to use a compromised password. The second risk is the risk of users introducing weaker passwords because they continually change them. We can use our reasoning to come up with a decent probability for the first risk. We cannot do so for the second risk, since it depends on how people behave. We must study people to assign a number to the second risk.
I think I see your point but you have to admit you haven't really established a foundation for your argument. You seem to feel (and I may be wrong of course) that one person selecting a fairly secure pass phrase once would be much more secure at any single point in time rather than a hap-hazard, dictionary based pass phrase that in comparison would be likely trivial to compromise at that same point of time. If that is indeed your point you do convey a valid point.
I just ask that if you advertise this method as somehow ideal then please allow for your audience to appreciate it as it is, an "if all else fails it's better than nothing" approach.
You've almost got it, but you've missed the main subtlety: I'm asking a question, not making a statement. I'm not advocating what we should do. I'm stating that what we should do is actually unknown because we don't have all of the information. Specifically, we don't know human behavior when it comes to rotating passwords. If it turns out that people actually choose good passwords under a rotating password policy, then we should keep the rotating password policy.
My only prescription is to say, instead of telling everyone "this is how you should behave" in order to achieve the best security, we should design our security policies based on how people actually behave. My assertion here is that if we do this, we will end up with better actual security than if we came up with a policy that, on paper, is better, but is not well implemented by people in the wild.
