Check out the recommended guidelines for password strength from NIST: Recommended guidelines for password strength