diff --git a/trunk/PKGBUILD b/trunk/PKGBUILD
index 537077f..37af0e9 100644
--- a/trunk/PKGBUILD
+++ b/trunk/PKGBUILD
@@ -19,7 +19,7 @@ backup=('etc/pam.d/system-auth'
         'etc/pam.d/system-remote-login'
         'etc/pam.d/system-services'
         'etc/pam.d/other')
-sha256sums=('89d62406b2d623a76d53c33aca98ce8ee124ed4a450ff6c8a44cfccca78baa2f'
+sha256sums=('bee501707640dca6096ba9fe404c29324c8f08950457f20637d741725b51db96'
             '005736b9bd650ff5e5d82a7e288853776d5bb8c90185d5774c07231c1e1c64a9'
             '2ed270c2789526336cc6479e63f6263b5c6f41cfc829a17a449a38621b6bf020'
             '005736b9bd650ff5e5d82a7e288853776d5bb8c90185d5774c07231c1e1c64a9'
diff --git a/trunk/system-auth b/trunk/system-auth
index af1d3a6..93f01a5 100644
--- a/trunk/system-auth
+++ b/trunk/system-auth
@@ -1,26 +1,26 @@
 #%PAM-1.0
 
-auth       required                    pam_faillock.so      preauth
+auth       required                                       pam_faillock.so      preauth
 # Optionally use requisite above if you do not want to prompt for the password
 # on locked accounts.
-auth       [success=2 default=ignore]  pam_unix.so          try_first_pass nullok
--auth      [success=1 default=ignore]  pam_systemd_home.so
-auth       [default=die]               pam_faillock.so      authfail
-auth       optional                    pam_permit.so
-auth       required                    pam_env.so
-auth       required                    pam_faillock.so      authsucc
+auth       [success=2 new_authtok_reqd=2 default=ignore]  pam_unix.so          try_first_pass nullok
+-auth      [success=1 new_authtok_reqd=1 default=ignore]  pam_systemd_home.so
+auth       [default=die]                                  pam_faillock.so      authfail
+auth       optional                                       pam_permit.so
+auth       required                                       pam_env.so
+auth       required                                       pam_faillock.so      authsucc
 # If you drop the above call to pam_faillock.so the lock will be done also
 # on non-consecutive authentication failures.
 
--account   [success=1 default=ignore]  pam_systemd_home.so
-account    required                    pam_unix.so
-account    optional                    pam_permit.so
-account    required                    pam_time.so
+-account   [success=1 new_authtok_reqd=1 default=ignore]  pam_systemd_home.so
+account    required                                       pam_unix.so
+account    optional                                       pam_permit.so
+account    required                                       pam_time.so
 
--password  [success=1 default=ignore]  pam_systemd_home.so
-password   required                    pam_unix.so          try_first_pass nullok shadow
-password   optional                    pam_permit.so
+-password  [success=1 new_authtok_reqd=1 default=ignore]  pam_systemd_home.so
+password   required                                       pam_unix.so          try_first_pass nullok shadow
+password   optional                                       pam_permit.so
 
-session    required                    pam_limits.so
-session    required                    pam_unix.so
-session    optional                    pam_permit.so
+session    required                                       pam_limits.so
+session    required                                       pam_unix.so
+session    optional                                       pam_permit.so