Encoding password expiry in the rules?

[chucker]

I apologize if this proposal is too off-topic.

Right now, the focus of the Password Rules Language seems to be on the characters it is made up of (and their length). However, a frequent requirement in enterprise environments is to have the entire password expire (regardless of its composition) at a regular basis. I've also seen websites that do this (particularly in finance).

I'm not sure the rules format is the right place to encode this additional piece of information. But if it is, I would propose an extension such as:

expiry: 12-months;

Where -months can also be -days and perhaps -weeks (neither of which map 1:1 to a month).

This could help client software anticipate an upcoming expiry. For example, a password manager (incl. a web browser) could show you a "make sure to update these passwords by date x" view. In addition, when a password has expired, the password manager would have machine-readable information on why a login fails.