password aging on non-trusted systems

At the end of the encrypted password you add char1, char2.
char1 is the maximum number of weeks the password is valid and
char2 is the minimum number of weeks that must pass before the password can be changed. The following is a good guide: Value # of weeks
. 0
/ 1
0-9 2-11
A-Z 12-37
a-z 38-63
so for example if you wanted a user to change their password somewhere between 11 and 2 weeks you would put ,A9. (man 4 passwd)

problem changing password on trusted system (HPUX)

Try changing password on a HP-UX trusted system and get the followin:
Password cannot be changed.  Reason: Cannot access protected password entry.

This means the auth files in /tcb are out of sync with the /etc/passwd file.  Someone may be making changes manually to the /etc/password file (like adding user acocunts), but that doesn't update or create the appropriate entries in /tcb/files/auth

check it by running the authck -p  (or pwck -s) command to verify the trusted computing base /tcb  This doesn't fix the problem, you'll have to delete (from /etc/passwd) and add again (via sam or useradd) or use the pwconv command.