The 90 day password change is a fixture of compliance regulations. If you deal with PCI, SOX or HIPA, you probably have to force password changes every 90 days. With PCI, you can lose your ability to take credit cards if you can't show that you force password changes at least every 90 days. (There are ways around it, the most common is lying to the auditor, but that is a different story.)
I have my own theory as to why the 90 days became standard, but was told that my theory was all wrong without any explanation as to why it was wrong. Suffice it to say that 90 days is a standard and if anyone really knows why it became a standard, they aren't talking.
If you ask an auditor, they will tell you that if someone does find your password, either through a key logger, finding your post-it or cracking your password database, they will only have a limited time before that password is changed. You don't even have to know that someone got your password if you change your password on a schedule. Of course, it might not take long before they learn the new password, but that concern is usually dismissed.