Is password aging enforced?
Your operating system's default behavior, which we would change here, is to disable an account when the password hasn't changed in 99,999 days. This interval is too long to be useful. We can set the default to 60 days. At some point before the 60 days have passed, the system will ask the user to change his or her password. At the end of the 60 days, if the password has not been changed, the account will be temporarily disabled. We'll make sure this warning period is at least 5 days long. We would make this change in /etc/login.defs.