Lock Up Your Customer Accounts, Give Away the Key

In your web application, how secure do you require your users' credentials to be? Do you require passwords to be a certain length, with enough kinds of different characters? Maybe you're more progressive and employ two-factor auth, or alternative auth like biometrics or single-use SMS keys.