Your password is stored in a hashed (encrypted) format.

If this password file can be found by a bad guy, it can be downloaded. (And if your sysadmins didn't follow best practice, and instead named it something like "PASSWORD.TXT," it makes it easier to find.)

Once the bad guy downloads it, he can use a readily available tool to try to crack it.

Assuming that your organization requires strong passwords (eight characters, mix of letters, numbers, uppercase, no words in the dictionary) then using the tools he would have available to him, it would take something like 75 days to crack a password.

So if the forced change is every 60 days, by the time he actually deciphers one of your passwords, it would no longer be valid.

But...

I put in italics "the tools he would have available to him" because password policies like this were put in place 10, 20 years ago when a bad guy would basically have only his home PC or PCs at his disposal.

But now there are botnets. You may have heard of them. (I say that in jest; I've read about botnets in the daily paper, so they're not a big secret anymore.)

The point is, botnets are basically as powerful as supercomputers. And some are for rent. So all the bad guy has to do is pay someone a few dollars, run your password file through the collected power of a botnet, and he'll have your passwords in a day or two at most.

So why do we still requrie passwords to be changed? Because it's still considered best practice. It's just no longer a fool-proof practice.