You want your users to employ strong passwords.
Use the CrackLib [Recipe 9.2] module of PAM, pam_cracklib, to test and enforce password strength requirements automatically. In some Linux distributions such as Red Hat 8.0, this feature is enabled by default. passwd and other PAM-mediated programs will complain if a new password is too short, too simple, too closely related to the previous password, etc.
You can adjust password strength and other variables by editing the parameters to the pam_cracklib module in /etc/pam.d/system-auth. For example, to increase the number of consecutive times a user can enter an incorrect password, change the retry parameter from its default of 3:
password required /lib/security/pam_cracklib.so retry=3
PAM allows recursion via the pam_stack module?that is, one PAM module can invoke another. If you examine the contents of /etc/pam.d, you will find quite a number of modules that recursively depend on system-auth, for example. This lets you define a single, systemwide authentication policy that propagates to other services.
Red Hat 8.0 has a sysadmin utility, authconfig , with a simple GUI for setting system authentication methods and policies: how authentication is performed (local passwords, Kerberos, LDAP), whether caching is done, etc. authconfig does its work by writing /etc/pam.d/system-auth. Unfortunately, it does not preserve any customizations you might make to this file. So, if you make custom edits as described above, beware using authconfig?it will erase them!
pam(8), authconfig(8), pam_stack(8). See /usr/share/doc/pam-*/txts/README.pam_cracklib for a list of parameters to tweak.