Magnolia provides only one single "Password Policy":

• Max number of failed attempts.

The possible "Password Policies" should be extended to default possibilities/functionality almost every System offers (even not Enterprise):

• Force change password on first login
• Force change of password for a specific user
• Force password strength and mandatory character usages
• Force expiration time of all passwords
• Force expiration time of a specific user
• Force expiring all passwords now (everybody has to reset it now/next login)

Maybe also:

• A central place to define password strengths, best per user realm (so different for public users).
  A PUR based login form won't know about any regexp based validator on the password form field.

Especially in combination with the PUR module and different types of users (Public Users) such functionality is very important. Public users are in most cases not managed over AD, where some of this behavior could be delegated to.