Good stuff. You don’t reference the NIST guidelines explicitly, but I think your recommendations are more or less a superset. The avoidance of common passwords is arguably the most important thing for ordinary users, so it’s good that you covered that so well.