NIST came out last year with some guidelines on how to choose passwords https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/. The “dos” should not be too surprising, but it is worth mentioning the “don’ts”:

* No restrictions on what characters are allowed * No password hints * No knowledge-based authentication * No expiration without some good reason

Also, they are no longer recommending the use of SMS for two-factor authentication. I wonder what you should use instead?