It’s a pain to enforce password length it always causes you to reset passwords over and and over again but it does provide better security. So here is how you enforce it in Linux. Inside the /etc/pam.d/system-auth file you modify the pam_cracklib.so line:
pam_cracklib.so retry=3 minlen=10 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1
So these settings are: (retry=3) allow 3 login trys, (minlen=10) minimum password length 10, (lcredit=-1) Minimum number of lower case letters is 1, (ucredot=-1) Minimum upper case is 1, (dcredit=-1) Minimum number of digits is 1, (ocredit=-1) Minimum number of other characters is 1.
To remember old passwords then add a line to pam_unix.so (this will remember 10 past passwords and they cannot be used sooner than minimum password change length times passwords to remember.)
pam_unix.so remember=10
If you want to enforce that the new password has different characters than previous remembered ones then add the following to pam_cracklib.so. At least 2 characters
pam_cracklib.so difok=2