for all of these things, you need to add columns to your users table to track things like login date, failed login attempts, and password change date.
These are all posible to add, but not necessarily easy to add without a solid understanding of the database structure, and PHP code.
1) add a column for logindate. once logged in, use an update record behavior to store the current date. add a condition to the security assist authenticate user behavior to make sure the date stored in the lastLogin date is less than 90 days old.
2) add a column for passwordChangeDate each time the password is changed, update this column to the current date. add an access rule to compare the passwordChangeDate to the current date if it is over 90 days old, force them to the password update page.
3) for this one, you'll need a password history table that stores the previous password and the userID. when the password is successfully updated, store the old password in the password history table. When they try to change the password, look up the attempted password in the history table, if it exists, deny the update.
4) add a loginAttempts column, on each failure, update this column by 1. if it gets to 4, deny access.
If you need assistance implementing this, i would suggest signing up for a premiere support appointment.