Thanks for sharing that very nice insight, which I'll quote here for user-friendliness to those who would end up reading this comment.
Jtom said: "Naw. I know an idiot who has the best password protection. He creates an eighteen-character (or the longest permitted length) password of random alpha-numeric, upper/lower case, and special characters, does not maintain a copy of it, and doesn't try to memorize it. Then he resets the password everytime he wants to log in."
That is exactly a common way users deal with complex password rules. This is why the NIST's latest guidelines (as well as Microsoft's latest research publication on the matter) both point toward a saner set of rules for the future, such as:
1.) No more arcane requirements.
2.) Let them use ANY character they want, even emojis. No character should be off limits. (Looking at you, old bank systems)
3.) Just demand a minimum length
4.) Check the password against a (regularly-updated) list of the most common bad / breached passwords, and notify users.
Basically, these new rules DECREASE the technical requirements, so that we end up decreasing the mental load on (very uninterested) users. In other words, we're decreasing the technical features in an attempt to increase the human/psychological features. And authentication (passwords, remembering them, typing them...) being a very human-centric activity, users can use all the psychological-friendliness they can get. The end goal? We hope, at least, that users would then have a far easier time actually thinking of good passwords, not write them down on a post-it, and IT's time will be wasted less on recurring "please reset my password" support calls.
We're betting, basically, that accounting for human factors, instead of just solely technical factors like most of the traditional password policies, will make the whole thing much better.
Thanks for the interesting comment, Jtom!