If a user changes their email address or username from their User Control Panel without changing their password at the same time, this line of code in ucp_profile.php] will cause their password last-change time to be reset to 0:
'user_passchg' => ($auth->acl_get('u_chgpasswd') && $data['new_password']) ? time() : 0,
If the "user must change password every X days" feature is enabled in the ACP, this causes a password reset to be forced for the user as soon as their username/email address is changed, due to this line in user.php:
It seems like this is a mistake, and if the user isn't updating their password, no change should be made to user_passchg? In that case the ": 0" on this line should become ": $user->data['user_passchg']". Or the assignment to $sql_ary['user_passchg'] could be moved further down next to the line that calls $user->reset_login_keys();".
The ACP equivalent feature already achieves this by avoiding updating user_passchg entirely unless the password is being edited.