When the 'Password Never Expires' permission is enabled on a user's Profile (either directly or via a Permission Set), Salesforce routes the user to a legacy change-password interface that does not include the option to reset the security question. The legacy interface is triggered because the system uses a different authentication flow for profiles with non-expiring passwords.
The updated change-password UI — which includes the security question reset option — is only accessible when the 'Password Never Expires' permission is removed from the profile.
Note: The screenshot below shows the legacy change password UI that appears when 'Password Never Expires' is enabled. The UI displays a basic password field only, without the security question reset option.
The 'Password Never Expires' permission, when active on a profile, forces Salesforce to use a legacy password change flow. This legacy flow does not support security question resets. The updated change password UI — which includes security question management — is only presented when the 'Password Never Expires' permission is inactive on the user's profile and all assigned Permission Sets.
To be redirected to the updated change password user interface, remove the 'Password Never Expires' permission from the user profile:
View and Edit Password Policies in Profiles - https://help.salesforce.com/s/articleView?id=platform.users_profiles_password_policies.htm&type=5
000393254

We use three kinds of cookies on our websites: required, functional, and advertising. You can choose whether functional and advertising cookies apply. Click on the different cookie categories to find out more about each category and to change the default settings.
Privacy Statement
Required cookies are necessary for basic website functionality. Some examples include: session cookies needed to transmit the website, authentication cookies, and security cookies.
Functional cookies enhance functions, performance, and services on the website. Some examples include: cookies used to analyze site traffic, cookies used for market research, and cookies used to display advertising that is not directed to a particular individual.
Advertising cookies track activity across websites in order to understand a viewer’s interests, and direct them specific marketing. Some examples include: cookies used for remarketing, or interest-based advertising.