I call it a menu because it's a list that you can pick and choose from. Some technologies and processes may apply to your business, while others may not. Let this serve as a guide and choose from it based on risk factors and needs.
-- Make them at least eight characters long and a mix of letters, numbers and symbols;
-- Have them expire every 60 days in case someone steals both a user ID and a password;
-- Have the system set to lock an account after three or five failed attempts at getting the password right. Investigate why an account is locked versus simply resetting it;
-- Don't allow people to write their user ID or password on a note and stick it to their monitor or under their keyboard...;
-- Remove/disable default accounts such as ''administrator'' or ''guest''. If you can't, then at least change the password to something more secure;
-- On a daily or weekly basis, check the logs of access attempts to look for abnormal behavior;