As a security administrator, you decide to force expiration of all user passwords. Which of the following best supports this reasoning?