3 months is frankly ridiculous, all you're doing there is really annoying your users.
Password security needs to take account of the ease of breaking the password, and what a typical user can be expected to remember.
The most recent research I have read suggests that frequent password changes will encourage your users to use obvious passwords that are easy to guess or remember, or they compromise your security by writing it down on their phone or some other easily mislaid item like a postit.
I would instead focus on ensuring the passwords used are of a sensible length to make cracking them difficult.