Have I missed something?
Surely someone somewhere has spent the time to create standards, perhaps for their own purposes and not published. Not just "whats a secure password" but the whole end to end login process taking into account everything in this discussion and more - i.e. that a secure password is useless if the site in question is sloppy with their logon procedures, that people can't memorize dozens of 16 random character passwords, that we don't always have our 2fa token etc.
On gripe not yet mentioned here I think is what about when you travel to a place with a different keyboard layout so the local currency symbol in your password isn't represented on the keyboard of hotel guests 'net terminal. (And while we're at it, the situation of access from a possibly compromised terminal like that should be catered for). And when I travel to Moscow the keyboard is in Cyrillic... HELP!