I'm not aware of an industry standard, but the problem with acceptable parameters is that it varies according to the application. I have about 20 different logins and passwords for different things, and most of them have very specific requirements that contradict each other. I have some that require the use of a special character, and some that don't *allow* special characters. I have some that can be no longer than 6 characters and others that must be a minimum of 8. Those are just examples.
I personally will always make my password as complex as I can, given the parameters I have to work with. Fortunately the ones with the "weak" password schemes tend to be low risk applications anyway.
If you are asking because of the need to put something in a policy, I'm not aware of any quotes you can use. My own policies don't make reference to required parameters for the reasons I mention above, and I've never received any negative comments about it. However, I maintain a full manual including information on every application we use that describes the security controls for those apps - password parameters and expirations, time out features, etc.
_________________________
My opinions are my own and do not necessarily reflect the opinions of my employer.