If your service has an account which you reasonably expect people to only log in once a year (e.g., the DMV) but you've got password expiration at less than a year, you functionally don't have passwords anyway, users will always need to go through the account recovery process.