If you opt to use ASE's password policy capabilities to enable "systemwide password expiration", pay close attention to the "password exp warn interval" setting as well. The default appears to be 45 days, which is a bit high for me.

The reason I bring this up, is when that interval is hit, any attempt to login will be greeted by a warning from ASE indicating how many days are left before expiration. Seems simple, but this can cause headaches for cron jobs and other applications that aren't designed to handle the additional output (or error message if you're coming in via OCS). This is a pain in the butt to discover at 3am on a Sunday when your pager starts going off because of failed cron jobs all over the place.