All users should have a password change date in the past. Rationale: If a users recorded password change date is in the future then they could bypass any set password expiration.