The latest NIST guidelines on password policies [sophos.com] recommend a minimum of 8 characters. Perhaps more interesting is what they recommend against. They recommend against allowing password hints, requiring the password to contain certain characters (like numeric digits or upper-case characters), using knowledge-based authentication (e.g., what is your mother's maiden name?), or expiring passwords after some amount of time. They also provide recommendations on how password data should be stored.