I would just like to point out something:
Don’t do that.
First of all, it will annoy the users. I have actual dealings with users subject to such a scheme and they’re all bitching about it. And rightfully so, because:
It’s cargo cult security.
It does not make your system any more secure. In fact, it does the complete opposite!
There’s actual research on this where scientists got legal access to two university’s password databases (about 20,000 passwords each). One university had a mandatory password change after three month, the other university just checked for security once.
Turns out that the passwords with the three months lifespan were less secure on average.
And I can tell you why, exactly: Because nearly everyone of my colleagues will use a scheme where the first part of the password is easy to remember and the second part will be a number.
Which they will increment after each mandatory change.
Which in turn means that not only is the password easier to crack but also the second argument for mandatory changes falls apart:
Because the thinking is that, yes, the passwords may be cracked but the change every three months will then render the cracked password invalid.
But you remember the part where nearly everyone will simply affix a number at the end? Which means that any non-braindead hacker will know exactly what the next password will likely look like.
- It introduces a hassle for the users
- It does not gain you any security
- It does even weaken security
I understand that this may be unwelcome because it looks so appealing and makes sense at first glance. However, this is also something where someone must ask: Does this actually work the way you think it works? Which is a very important question regarding security - sometimes things really are counterintuitive (Parts of my studies included psychology - you’d be amazed how many instances there are where common sense goes awry).