You should do none of this. It shouldn't be the websites concern if my account gets hacked - basic password requirements are fine, but anything that goes past a character count is just making the UX worse. The requirements increase friction, which you've already put at a high level due to requiring payment.