We suggest following the Cybersecurity Infrastructure and Security Agency guidelines.
Key Password Protections:
- Required to be at least 8 characters.
- Not the same as the user's current password if resetting.
- Not used on another service.
- Not dictionary words (e.g. Elephant).
- Not repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).
- Not context-specific words, such as the name of the service, the username, and derivatives thereof. (e.g. Seesaw1234).