I'm supposed to add a password timeout, after which a new password is required.

As a security feature, this practice has been thoroughly refuted. You can do it if you like, just don't be lulled into thinking that it will improve security.