We'll be using the pwquality module for the Pluggable Authentication Module (PAM). This is a newer technology that has replaced the old cracklib module. On a Red Hat 7/8 or CentOS 7/8 system, pwquality is installed by default, even if you do a minimal installation. If you cd into the /etc/pam.d directory, you can do a grep operation to see that the PAM configuration files are already set up. retry=3 means that a user will only have three tries to get the password right when logging in to the system:

[donnie@localhost pam.d]$ grep 'pwquality' * password-auth:password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password-auth-ac:password requisite pam_pwquality.so try_first_pass ...