Issue: Functionality is not present for an admin to define a password rotation policy which would require users to change their password after a defined number of days. The risk is that a compromised password could be used indefinitely. There is also a minimal risk that an attacker could brute force a password each day subject to the account lockout control. Recommended Resolution: Provide support to allow a bugzilla admin to define a password rotation policy for users. In addition, it would be beneficial if the policy could be customized per group - with a user bound by the most stringent rotation policy of all groups they are a member of.
See especially bug 284570 comment 3, which is what you are requesting here. And this is neither a major issue nor a security bug.