Trouble with password rules in Linux-PAM

Ubuntu 20.04. I've installed pam_pwquality.so.

Here's the contents of /opt/pam.d/common-password:

password    required    pam_pwquality.so retry=1 minlen=10 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=1 symbols="!#%^()&"
password    required    pam_unix.so obscure use_authtok try_first_pass sha512

The intention here is that all passwords:

• Must be at least 10 characters long
• Must have at least one uppercase letter
• Must have at least one lowercase letter
• Must have at least one digit
• Must have at least one symbol, which may be one of these ! # % ^ ( ) &

However, it doesn't seem to quite work right:

$ sudo passwd joe
New password:
BAD PASSWORD: The password contains less than 1 digits
Retype new password: 
passwd: password updated successfully

For the both prompts, I typed "blah".

The "New password" prompt correctly recognizes that the password does not meet the complexity requirements. However, instead of asking the user to try again, it proceeds directly to the "Retype new password" prompt, which seems to ignore the complexity requirements.

What am I doing wrong?

I found the answer here:

https://askubuntu.com/questions/1189848/ubuntu-16-04lts-pwquality-conf-pam-pwquality-registering-incorrect-passwords

The rule needs enforce_for_root.