First of all, you must store the date of the last time a password was changed. So the users table would look like: id, login, password, pwd_date
Secondly, inside your AppController->login() method, you would need to add a few lines of code that would be similar to
$user = $this->User->findById($this->Auth->getUser('id'));
if ($user['User']['pwd_date'] < strtotime('-3 months') || '' == trim($user['User']['password'])){
promptViewToShowMustResetPassword();
}
Now, as for checking whether the username and|password are thesame, you would need to set it up inside the model for your user as a custom validation rule, and make it NOT ALLOW the use of username for the password.