16 characters was the minimum length a password should be due to how easy it was to crack… something like ten years ago.

Now it’s something like 20 to 24 characters.

Seriously, if your company is defining maximum password length and demanding specific content, it is failing at the security game. Have the storage location accept a UTF-8 string of at least 2048 bytes - or nvarchar(max) if it’s a database field - and do a bitwise complexity calculation as your only “minimum value” requirement.

Look at how KeePass calculates password complexity, and replicate that for whatever interface you are using. Ensure that it is reasonable, such as 150-200bit complexity, and let users choose whatever they want to achieve that complexity.