At least 6 and at most 20 characters long
In this day and age of unstructured data, 20 characters seems like a stupid upper limit. All they have to do is google minimum password strength and out pops 8 characters. For 20 characters to be truly effective, they need to be chosen randomly. A highly unlikely scenario.