Hang on, I don’t remember having $15m in the first place!
The sad thing is, these aren’t in your control.
Everywhere you go looking at online security you’ll see discussion on passwords. What should a password be? How long? Allow any obvious information derivatives? Forced complexity? Allow real words? Force expiry?