The US National Institute of Standards and Technology (NIST) released updated guidance regarding authentication systems in 2017, which includes new recommendations for password complexity and non-password authentication systems. This document reviews the NIST guidelines and offers practical guidelines to IT organizations and (separately) to application developers.
Password guidelines are a subset of NIST Special Publication 800-63 (Revision 3): Digital Identity Guidelines.
Organizations that use systems or applications must deploy and support that software as it exists, not as they wish it performed. As such, only a subset of NIST rules pertain -- those that do not require changes to the underlying software or service.
On the other hand, organizations that develop software can attempt to comply with a broader range of recommendations.
This document has separate sections for application developers versus the IT organizations that deploy and support applications.