Tom,
The passwords are stored in the security server BLOB in an encrypted format. The OneWorld foundation code does the decryption. There is talk more support for open standards in ERP 9 such as certificates and other enterprise security management products. These products could then have their own password complexity rules which would be respected.
Currently you could make use of the OneWorld Unified Login feature which relies on the user authenticating within a windows domain and then allows them into OneWorld automatically. You could then implement password complexity rules within the domain.
What I would suggest is that you customise the user password dialog box. I have a client who has modified the code behind this box to validate the password against their particular corporate password policy. You can make it as draconian as you want. (alpha and numbers required, punctuation required, mixed case required, cannot repeat a digit in the same position, etc) By enforcing your standards at input time you are assured that the used cannot change the password so something weaker than you want. Once implemented you could set all users to expire in 1 or 2 days so that they would be prompted to change there current password.
The application you would change is: P98OWSEC Form W98OWSECD. You might also want to apply the same rules to the password entered in P98OWSEC W98OWSECF which is the Administrative Password Revisions form. This would assure that your Security Administrators could not give special treatment to certain users by assigning them weak passwords.
Regards,