How it the backend password expiration procedure implemented?

Step 1. Magento\User\Observer\Backend\AuthObserver::_checkExpiredPassword()

It produces the «It’s time to change your password.» message:

Step 2. Magento\User\Model\Backend\Config\ObserverConfig::_isLatestPasswordExpired()

Step 3A. Magento\User\Model\Backend\Config\ObserverConfig::getAdminPasswordLifetime()

Step 3B. Magento\User\Model\ResourceModel\User::getLatestPassword()

The backend passwords are stored in the admin_passwords database’s table.
If a password is already expired, then its expires field (of the admin_passwords table) contains a non-zero value.

See also: