Glenn Fleishman has some advice that may seem counterintuitive: never change your password. If your password is long and random enough to avoid brute force or dictionary attacks, unique to the service, and has not been leaked, you should never need to change it. Glenn's article is a nice history tour of the mentality behind this particular idée fixe, too.
Crackers used to be able to run unlimited password guessing attempts at many website login pages. It took shockingly long for companies to build in throttles and timeouts to disable such attacks. Nowadays, only targeted knowledge that doesn't exceed a maximum number of failed attempts may work, and two-factor authentication stops that method cold. Crackers don't bother with such attacks anymore unless they find unthrottled login pages.
Like many congealed security principles, "compulsory password changes" was written in blood decades ago—but now the policy itself flags more subtle vulnerabilities.
