Rules

Minimum length of either 8 or 16 characters.
A maximum length of 2,048 characters.
Check if password is in breaches? (optional)

It's probably a good idea to make sure they're not putting in a common or breached password. I don't have any other rules, it's pretty simple. I think having the one or more numbers, symbols, capital letters, is a bit overrated. I don't really need it, do I? Got any examples/scenarios on why an application would need or should have something like that? Please, share.

And I encourage people who are writing password this.

Storage

And as for storing passwords, I'm not just gonna leave it as plain-text, unless of course my intent is to steal credentials. So I'd use a strong hashing algorithm like Bcrypt or some variation of Argon2. Hashing the passwords is good enough, or so some of us believe. While I don't doubt that hashing the password is good, I believe that it could be taken further to protecting the passwords.

Yes, encrypt the hash, with something strong. Preferably AES-256 or AES-128. And perhaps a more complex approach signing keys with RSA and encrypting with AES based on that. Not gonna get too far into it(I don't wanna start talking about stuff I don't understand).

Doing it this way gives hackers/crackers whatever you wish to call them, another step. To decrypt the hash, then finally deal with the hash.

Summary

Make sure the password is within (8 or 16)-2,048 characters threshold, optionally check if it's common or breached. Hash the password, then encrypt the hashed password, and finally store it somewhere.