The latest NIST (United States National Institute for Standards and Technology) guidelines on password policies recommend a minimum of 8 characters. Perhaps more interesting is what they recommend against. They recommend against allowing password hints, requiring the password to contain certain characters (like numeric digits or upper-case characters), using knowledge-based authentication (e.g., what is your mother's maiden name?), using SMS (Short Message Service) for two-factor authentication, or expiring passwords after some amount of time. They also provide recommendations on how password data should be stored.
[Ed. Note: Contrary to common practice, I would advocate reading the entire linked article so we can have an informed discussion on the many recommendations in the proposal. What has been your experience with password policies? Do the recommendations rectify problems you have seen? Is it reasonable to expect average users to follow the recommendations? What have they left out?]
(Score: 2) by stormwyrm on Friday August 19 2016, @11:41PM
Then your users will hate you right back, and they will undermine your security policy every chance they get, and do dangerous things like write their passwords down and put them in insecure locations, because they can't freaking remember them with all the asinine restrictions you try to impose. You need to compromise with the limitations of human memory and cognition and make it work for you instead of against you. This is why XKCD 936 [xkcd.com] is a reasonably sound recommendation, only I'd use more words instead of just four.
Numquam ponenda est pluralitas sine necessitate.