Are there published frameworks or standards for passwords and website membership?

I am currently working on a project in which we are creating a large public website for my organization. This site will allow customers to register and register to receive confidential personal information.

From experience I know some basics, such as requiring a complex password and requiring an email address for the reset password used.

Basically what I'm looking for is some kind of well-documented recommendation or standards (like NIST or ISO) for these requirements.

I need to introduce this to a higher level director who insists on us:

• does not require users to have an email address
• asking users to allow our site to display the password back to the user simply by confirming the name, birthday and SSN
• send an e-mail in plain text, but do not send a temporary password by e-mail and bring them to our site before reset PW.
• requiring us to assign a simple system-generated username, for example first intial, the first 3 characters of the last name with a 4-digit randomly generated number. (unlike the user picking whatever name they want)

If I can introduce some industry standard on why these are such risks, this will really help.