Managing Password Policies
If you are a System Administrator you can set your organization's password policies from Admin > Configuration > Password Policies.

You can use the system defaults:

System Default set rules for:
Minimum length
Types of characters
Expiry period
times an incorrect password can be set before login the user will need to reset their password
Or you can set custom policies for:
Minimum length
Expiry period
Number of times an incorrect password can be tried before the user will need to reset their password
When you create a user login, the user will be asked to reset their password when they login.
Guidance on passwords:
Longer passwords are more secure
Password should be a mix of uppercase, lowercase, numbers, and symbols
Password should be different from the passwords you use to log into other accounts, like your email or bank account
Use a password manager to generate long/random passwords
Do not use common dictionary words or phrases. Be creative and thoughtful with your password choice - it adds an extra layer of security to your account from the start
Your password should not be your email, phone number or birthday
Avoid using common words, like “Password”
From the same page, if you want to automatically send reminders to users when their passwords are due to expire, from Send reminder emails to users when their passwords are due to expire? select Yes.
Users will then receive emails 7 days and 1 day before their passwords are due to expire.
From the email they click on Reset your password and they will be asked to set a new password.