What are the two best practices for passwords?

Enforcing password complexity is necessary. Because users can remember passwords they generate without having to write them down, they are preferable to randomly generated ones. However, they shouldn't be something that are simple for other people to figure out, like the dog's name or someone's birthday. Passwords should expire after a certain amount of time to make it more challenging for someone to use a compromised password. The time between password expirations should be no more than 45–90 days.