Maybe there was a simpler way to do this but this is what I've done. I've added rules to the change_password application; some of these using the options available in SC, others with simple rules (new password cannot be the same as the old, cannot be the same as the user login...) - and this - which is called from Events > Onvalidate before passwords are encrypted.

What it does:
Requires password to be 8-20 characters
Verifies that users password contains A-Z, a-z, 0-9 and a special character.

Here's the code:
$pwd={pswd} ;
if (preg_match("#.*^(?=.{8,20})(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9]).*$#", $pwd)){
return true ;
} else {
sc_error_message("Your new password must comply with password requirements") ;