At least 9 characters long. No repeated characters. At least 1 number, 1 special character, and 1 capital letter. Cannot be same as last 10 passwords. Must change every 60 days. Oh, and don’t write it down either, or use on other sites.
Source: Password Policies are Getting Out of Control | blog@CACM | Communications of the ACM