This article shares an informative guide for 2017 NIST password recommendations to protect corporate systems

http://searchsecurity.techtarget.com/answer/What-new-NIST-password-recommendations-should-enterprises-adopt

It’s not surprising one of NIST’s first password recommendations is PINs should be six digits long and passwords should be a minimum of eight characters, with a maximum length of 64 for more sensitive accounts. Remembering a password longer than eight characters is not necessarily easy, but NIST’s new guidelines allow the use of all printable ASCII characters, as well as all UNICODE characters, including emoji, to improve usability and increase variety. Combine this with the recommendation that users should be encouraged to create longer phrases instead of hard-to-remember passwords, or passwords based on character swaps, such as “pA55w0rd” — which may appear complex, but, in fact, are not — and it opens the way for long, complex and easy-to-remember passwords.

Also, passwords should no longer be automatically expired after a certain period unless there’s a good reason, such as they have been forgotten, or there’s suspicion they have been phished or stolen and could therefore be subjected to an offline brute-force attack. This would mean there has to be some form of monitoring in place to detect potential compromises.

There is also advice on how to store users’ passwords safely. All passwords must be hashed, salted and stretched when stored. This will dramatically reduce the ability of hackers to cost-effectively crack passwords either in bulk or individually. Systems also need to check new passwords against a dictionary of known bad choices. Administrators need to ensure this dictionary matches its users most likely choices, which depending on location and industry, may not necessarily exactly match the world’s 100 most likely passwords; having 100,000 such entries is suggested as a good starting point.