>I'd go for at least 6 chars. You can ask for eg at least one upper case char, two lower case, one digit, .. Such a test is easily done with a Regex
I tend to go with a minimum of 10 characters. And, yes, in some applications, password rules could be really advanced.
Thanks