I know that forcing passwords to expire after a certain period from the time the user creates them is not part of Devise logic, and I'm planning to write my own code to make that happen.
It also looks like forcing the user not to reuse one of the last X (in my case 10) passwords will need to be coded manually.
My thinking is that I'll create something like a user_passwords table and use logic in my code to make sure the new password doesn't match any in that table for that user. At the same time I would insert the new password into the table, unless there are 10 records for that user there already, which would mean I'd overwrite the oldest with the new value. Table structure would be something like this:
user_passwords
If anyone has a better, more elegant solution to handle this, I'd appreciate it.
The devise_security_extension seems to work for what I need.
However, at present, it doesn't support Devise 2.0 or higher. I ran into a number of issues, and had to downgrade my Devise to 1.5.3. According to comments on their message board, they're currently working on porting the gem to a Devise 2.0 compatible version.
I have given it a spin for its password_expirable and password_archivable modules. Everything seems to work as expected.
It also supports secure_validatable, session_limitable and expirable, the former 2 of which I will probably use in the near future.