What is your basis for suggesting anything less than those guidelines is sufficient?
We should be encouraging people to select passwords that they can't rememeber so that they are then encouraged to generate them with a tool (my favorite being KeePass).
Longer passwords let you optimize passwords for ease of recall and security, rather than fitting in arbitrary requirements.
There were no duplicates in any of the 50 sets. (About a week's runtime on a fairly modest Intel processor.)
Given that 100m accounts is a fair fraction of the world's active computer users, that's a pretty good start.
(There are further reasons for finding passwords alone insufficient for security, but at least these are strong, and yet potentially memorable, passwords.)
EDIT: Well, with the exception of your password manager one, if not using biometrics.