Find users with unchanged passwords?

You can use the chage command to see the last time they changed their password, for example:

sudo chage -l kbrandt

You can mix that with a loop and awk of the /etc/passwd file, might be a better way though. Maybe something like:

while read line; do 
    date_change=$(echo $line | awk -F: '{print $3}')
    user=$(echo $line | awk -F: '{print $1}')
    #Say you set them on 14120 days since Jan 1, 1970
    if [[ $date_change -eq 14120 ]]; then
        #chage command to set warning and password expiration for $user
    fi
done < /etc/shadow

To expire the password set the expiration date to a date in the past:

chage -E 0 username    # 0 is January 1, 1970; 14496 is 9/9/9

To remove the expiration use -1:

chage -E -1 username

Combine these with Kyle's script.

However, you can get your user and date_change using only one call to awk:

# Bash
read user date_change <<< $(echo $line | awk -F: '{print $1, $3}')

or

# Bash
read user date_change < <(echo $line | awk -F: '{print $1, $3}')

or

# Bourne
read user date_change <<EOF
`echo $line | awk -F: '{print $1, $3}'`
EOF

However, awk is unnecessary:

while IFS=: read -a line
do 
    date_change=${line[2]}
    user=${line[0]}
    # Have they changed their password since I told them to on Jul 1?
    if [[ $date_change <= 14426 ]]; then
        # Expire their password, that'll get their attention
        chage -E 0 $user
    fi
done < /etc/shadow

The date the password was last changed is listed in /etc/shadow in the third field (coded as days since 1970/01/01).

You could then use the chage utiliy to enforce a password change after n days since the last change. But beware that this setting is persistent, it will expire the password every n days, so if you don't want that you will have to reset this in a second run, after the first change.

I really would like an option to enforce a password change upon first login, like MacOS and Windows offers.