If a user changes their email address or username from their User Control Panel without changing their password at the same time, this line of code in ucp_profile.php] will cause their password last-change time to be reset to 0:

'user_passchg' => ($auth->acl_get('u_chgpasswd') && $data['new_password']) ? time() : 0,

If the "user must change password every X days" feature is enabled in the ACP, this causes a password reset to be forced for the user as soon as their username/email address is changed, due to this line in user.php:

https://github.com/phpbb/phpbb/blob/05f4046b2b1661b1a1064b33c2ee1bbf13a6644d/phpBB/phpbb/user.php#L407

It seems like this is a mistake, and if the user isn't updating their password, no change should be made to user_passchg? In that case the ": 0" on this line should become ": $user->data['user_passchg']". Or the assignment to $sql_ary['user_passchg'] could be moved further down next to the line that calls $user->reset_login_keys();".

The ACP equivalent feature already achieves this by avoiding updating user_passchg entirely unless the password is being edited.