Password cracking is a rapidly changing field. The only way to validate your password policies is with a direct audit.
I provide a unique service in Anchorage - high-performance password auditing on site, using specialized tools and a custom hardware build.
Contact me to schedule a session. In your message, briefly outline any applicable external regulatory requirements (HIPAA, PCI, FFIEC, FDIC, NCUA, etc.)
For all other passwords, generate them randomly and store them with a password manager. KeePass is supported on multiple platforms and can detect when the underlying database has been synchronized from another location.
For all plantforms that support two-factor authentication, enable it. SMS and email tokens are better than nothing. Offline-ready authenticator apps (like Google Authenticator, Authy) are much better. Hard tokens (like Yubikey FIDO U2F) are best.
Remember: your passwords are only as secure as your password reset mechanisms. Enabling 2FA on your email that's used to reset passwords is very important.