NIST came out last year with some guidelines on how to choose passwords <https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/>. The “dos” should not be too surprising, but it is worth mentioning the “don’ts”: * No restrictions on what characters are allowed * No password hints * No knowledge-based authentication * No expiration without some good reason Also, they are no longer recommending the use of SMS for two-factor authentication. I wonder what you should use instead?