Cybersecurity researchers say systems that force users to change their passwords often actually could be creating security risks.