user expectation – creating the correct password parameters for a site, with cc details stored

I am trying to think of the best requirements to set a password for a site. A credit card is stored on the site, but is only useful to the site owner. i.e. if someone else logged in, they wouldnt get much benefit.

Its actually a customer relationship management cloud software service.

So here are my options:

  1. min 6 character password – simple and easy, they can use their favorite password, and wont struggle to remember it.

  2. min 8 chars, 1 upper case, 1 number, 1 non-alphanumeric character – secure, but it gets annoying, and if you forget the password, its hard tor remember.

  3. min 6 chars, 1 number, 1 upper case – somewhere in between, a bit more secure, and a likely chance they can still enter their favorite password.

Thoughts?