There is no ability to set how complex a password must be. eg Upper case, numbers letters, etc. Or even the length that it has to be. The minimum password length is 2 characters. Security audits did not pass this at our organisation as we couldn't set anything and any passwords were accepted,

With SSO / Win Auth turned on, this is partly resolved as our AD passwords can be set by the AD but our customers are outside our organisation and do not get win auth / sso when logging in so there is no way of enforcing our customers to make their password more secure.