Setting password complexity rules

We run a gitlab site for university users (and they all come from different institutions so we can’t use a single LDAP). We recently went through penetration testing and the main issue the testers raised was with a lack of password complexity controls.

Although there is a control for minimum length there isn’t anything I can see to require mixture of caps/numerics etc.

I don’t really want to force all users to use MFA but I also don’t want users to have a password of 11111111

Anyone know if this sort of simple control is coming?

Please tell me. Can I customize password requirements: change frequency, password complexity, password history?