[tdewitt]

It was a "good enough" practice until better options came along. It's never been a "good" practice. Take a look at lists of breached passwords and you'll see an overwhelming number of passwords that involve replacing vowels with numbers in common words. Humans are bad at picking complex passwords because they're not easy to remember. We had to adjust the rules over time to deal with that: minimum complexity rules, require a capital letter, require a number, require a "special" (but not too special because we still don't do proper sanitization), no repeating the same password until you've rotated N times, no repeating the same password until you've rotated N times AND there's a minimum age. Those rules all camebinto play because people can't be relied on to be smart about passwords.

Password expirations are insufficient and it has always been a game of cat-and-mouse with people who hate them. Good security is something people willingly use or don't know they're using, so they don't try and work around it.