Password requirements
Many password requirements can be enforced using a password validation routine which is available to implement in System Management Portal. But how about this one:
Check that at least 50% of the characters changed from old password to new password.
We need to have access to the old password to check this, currently password validation routine only gets the new password.
We can create a new form to update the password where user must enter the old password and new password. I think I can block users from changing the password the usual way by having a password routine reject all passwords.
Is there a better way?
Since the storage of passwords is only in salted & hashed format, you'll need to ask for the previous password, check that it logs the user in and then do the checking on the new password. That'll be your only time to view the previous password in plaintext.