Another trick you can do with PAM is force your users to use complex passwords. This example sets a minimum password legnth of 8 characters composed of at least 1 digit, 1 uppercase, 1 lowercase, and 1 non-alphanumeric character:
password required /lib/security/$ISA/pam_cracklib.so
retry=3 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 minlen=8
The retry means you get 3 chances to make a new password that complies to your rule until it gives up on you. Note also minlen=8 which sets the minimum password length to 8 characters.
Stuff that in your /etc/pam.d/system-auth. See my other post on how to expire a users password and make them comply to your new rule.