This is a common feature for a few PMS systems which I gather is based on a belief that it would take 90 days for the average computer to crack the average password.
ResDiary would of course want to do everything possible to improve the level of security in your business, but this function isn't a direction we are going to take, as with modern technology on the cloud, it is possible for average passwords to be cracked within seconds.
The secondary issue for us if we were to implement this would be that frequent password changes would increase the chance that users will forget passwords and lock themselves out of their account. They could still use the email password reset function with Captcha but in a busy restaurant environment this isn't always practical.
If interested on further viewpoints on this subject, please see the article below from the UK national cyber security centre which advises against auto-password expiration and have provided some guidelines for a more modern approach on improving password security;
What we can help with is to restrict IP address access which will restrict the access to ResDiary from other computers not on site.
If this would be suitable, you need only send a list of IP addresses to firstname.lastname@example.org and ask that only these should be able to access ResDiary.
Please can I request functionality for user passwords to be changed after 90 days.