It's an exposure mitigation rather than a cracking mitigation, isn't it? The idea is that if it got badly stored somewhere it's only dangerous for 30 days or whatever.
Yes, I suppose it is an exposure mitigation as well. Although if someone is having users change passwords every 30 days (or 30 seconds? whatever) due to exposure I have a lot of WTF questions. If passwords suffer from that much unavoidable exposure I'd be expecting automated systems (hello HOTP / TOTP) and OOB authenticators which are resistant or agnostic to that exposure.
(ssa.gov generates printable one-time pads if you're masochistic enough to request one.)
(ssa.gov generates printable one-time pads if you're masochistic enough to request one.)