"Changing passwords is a waste of time" is the signal opinion of someone who has never been on either end of a network penetration test before.
How the universe actually works is: (1) of 1,000 servers, break into 1, (2) recover cached or hashed passwords, (3) reuse those passwords on every system on the network, (4) repeat 1-3 until you own 90% of the machines on the network.
There's lots of room to criticize bureaucratic security policies, but they sure picked a dumb one to focus on.
I agree with you from a network administrator's point of view. But, from a simple, home user's point of view, that person is going to get a lot more security benefit out of making sure his or her software (in particular, web browsers) are updated; running as an unprivileged user; and never directly clicking on links in emails that claim to be from a financial institution, than changing his or her passwords every X months.
The way a typical home system is compromised is through some sort of malware infection. Take me as an example. Say you were able to get my Hacker News password. What would that get you? You could login to HN and post as me. Big deal. That password gets you nothing in terms of being able to get to any of my data that I'd consider valuable (which is all on my home systems, protected by completely different passwords).
I think what we're supposed to take away from this article is that the only security advice that's worth a damn is advice people actually follow. In other words, you have to make it simple for them. Stuff like keeping software updated is generally pretty easy because it can be done automatically; ditto running as an unprivileged user and not clicking directly on links.
So in the vein of the only security advice that's worth a damn is advice people actually follow, most non-technical people I know 1) don't check on the link before they click it and 2) run as privileged, 3) use the same password everywhere. They are not following that advice.
Edit: And even if users check what link they are about to click, what of shortened URLs?
How the universe actually works is: (1) of 1,000 servers, break into 1, (2) recover cached or hashed passwords, (3) reuse those passwords on every system on the network, (4) repeat 1-3 until you own 90% of the machines on the network.
There's lots of room to criticize bureaucratic security policies, but they sure picked a dumb one to focus on.