@J.G.Harston
The reason for the limitation on Visa (and other) operators is that they use the 'verified by Visa' system that asks you for the 2nd, 7th and 10th character of your password, with the actual ordinals changing randomly each time. They go up to a maximum of 12*. It's intended to make life more difficult for key loggers, shoulder surfers etc.
More generally, the reason for forcing passwords to change regularly is to limit the damage when (not if) one of them 'leaks'.
* not an unreasonable limit. If you allowed (say) 30 character passwords, the chances of most people being able to correctly identify which is the 23rd character of their password is slim.
Biting the hand that feeds IT
