Company Password Policy

Does anyone have some “go-to” references or authorities on password policy?

I am looking to provide guidance to my company’s users on how to create better passwords, but I’m having a hard time finding any current guidelines/recommendations.

Specifically, I think I want to push people to passphrases rather than passwords, but I can’t find reliable references on what constitutes a “good” passphrase.

From NIST:

A passphrase is a memorized secret consisting of a sequence of words or other text that a claimant uses to authenticate their identity. A passphrase is similar to a password in usage, but is generally longer for added security.

Does your system allow you to make rules on how the passwords must be configured? Passphrase it a good idea that I should probably implement in my system.

At minimum, set pass minimum length, require Cap and lowercase, require number, require special character. And if security is a little higher, set expiration time period, and do not allow past passwords to be used. Time period can be really short but annoying, to way too long and might as well never expire. 6 months is common, 3 months tighter, 1 month would border on annoying for most users.