Such as?
Changing the passwords forces a potential intruder to have to be continually probing systems trying to discover the new passwords, and risk potentially being discovered themselves in the process.
Probing for passwords? How exactly? If an intruder wants data he will take the data. If he wants a salted hash file, he can have mine. I'll send it to him.
Also, when the password changes attempts to log on using the old password will be recorded by the security systems, along with the source of the attempted logon.
The source will be someone's compromised home computer or a server in Poland or China.
Having access to a set of credentials with a password that never expires allows an intruder to quietly access and monitor a system for months or even years without setting of those alerts or hitting the tripwires.
Makes sense, but that many intrusions were short.
Techniques like social engineering, packet captures, keystroke loggers and dumpster diving have yielded passwords.
Probing for passwords? How exactly? If an intruder wants data he will take the data. If he wants a salted hash file, he can have mine. I'll send it to him.
I do not know all the possible ways there are, and I don't think it's reasonable to expect me to give you a comprehensive course on hacking. Suffice it to say that not all passwords get you access to valuable data. Whenever a set of credentials is acquired you have to test them, possibly against many machines to determine what they do a do not grant access to. A low-level account might not grant you access to any valuable data, but might get you into a workstation where someone with an account that does might log on and let you capture theirs, and the testing starts all over again.
The source will be someone's compromised home computer or a server in Poland or China.
The source of the hack might be, but servers that hold sensitive data are typically firewalled so that they cannot talk directly to home computers in Poland or China. You have to get control of a computer that can talk to both. That is the source that will be recorded in the server's event logs you'll be looking for - the initial ingress point into the internal network.
Makes isense, but that many intrusions were short.
There's no "magic bullet" that will stop every type of intrusion. Things like requiring minimum password lengths and complexity, and periodic changes are basic good practice that will help protect against many known types of intrusion. Network security always starts with the assumption that the system can be breached and may already have been.