A Pluggable Authentication Module (PAM) which allows the establishment of alternate passwords that can be used to perform actions to clear sensitive data, notify IT/Security staff, close off sensitive network connections, etc if a user is coerced into giving a threat actor a password.
How to configure password complexity on Redhat Linux machines (and its derivatives). After playing with it for a while, I'd call this a best practice because it requires all of the different character classes but doesn't give you bonus points for using any one (i.e., you have to use them all, but they could the same insofar as character scoring is concerned).