How to fortify with strong password guidelines?

A guidelines on managing digital identities securely when making password inputs or secure sign-ups or logins for any website:

For user generated passwords, passwords should have at least 8 characters and as for machine-generated ones, at least 6 characters is must.
Always store passwords by hashing and salting them.
Skip complexities, like needing special characters or numbers.
Don't give security questions for password reset. The reason for this is because of social media and tricks like social engineering, it's easy for attackers to find those answers.
Give users 10 tries before locking them out on failed login attempts.
Don't ask users to change passwords frequently. Asking people to change their password with periodic complexity requirements makes them frustrated and leads them to picking simpler passwords they can remember which gives hackers more chances to sneak in. Only reset password when user asks for it.
Don't go to SMS for codes when using multi-factor authentication(2FA). It is not the safest option.
Users should be free to create long passwords, up to 64 characters, even emojis.