It should be obvious to everyone that sensitive information should be protected behind passwords; unfortunately, many passwords are terrible. In particular, people using a commercial system that comes with a default password have a destructive tendency to leave that password alone, meaning anyone familiar with the system can break in without difficulty. It should be school policy that any default passwords must be changed immediately.
At the other extreme, many companies lean towards making users memorize a hideously complex password containing uppercase and lowercase letters, numbers, special characters, minimum length, etc. The natural result - people write their passwords down! Do require secure passwords (hint: "password" is a lousy password!) but don't make them so complicated that people can't remember them! For similar reasons, you should let people choose their own passwords; semi-random passwords that have special meaning to the user are a lot easier to remember than random passwords chosen by the system!
Require passwords to be changed regularly, but not frequently; twice per year seems a reasonable timeframe unless there's reason to suspect that a password may have been compromised. Like most things in information security, this is a trade off; more time between changes means a compromised password has more chances to be misused, but less time leads to people having trouble remembering their passwords (which can lead to security issues if they write them down!)