That's about as good as you're going to get. The only change I'd make is a minimum of 10 characters and a longer expiration time. if choosing a password is hard work and frequent, users choose weak passwords.