546
NIST proposes barring some of the most nonsensical password rules
(arstechnica.com)
This is a most excellent place for technology news and articles.
~~That stipulation goes rather close to #5, even not being a composition rule.~~ EDIT: see below.
I think that a better approach is to follow the recommended min length (15 chars), unless there are good reasons to lower it and you're reasonably sure that your delay between failed password attempts works flawlessly.
EDIT: as I was re-reading the original, I found the relevant excerpt:
So they are requiring CSPs to do what you said, and check it against a list of compromised passwords. However they aren't associating it with password length; on that, the Appendix 2 basically says that min length depends on the threat model being addressed; as in, if it's just some muppet trying passwords online versus trying it offline.