Doing a little bit of work related reading today and learned a few things about passwords based on a 2013 Derbycon presentation:
Password rotation introduces password vulnerabilities (I actually already knew this and have complained about it at various jobs but what can you do)
*Users will invent ways to remember their password
**90 day rotation - seasonal password
**30 day rotation - month based
***Users will use the same root word for future passwords and only change numbers and special characters
Keyboard Patterns, i.e. qwe123, easily defeated by Hashcat
Special rules required?
*There is an order to which characters, numbers, special characters people will use
*There is an order to where they will place specific characters
**These patterns are universal
***Exclamation point is the most commonly used special character
***Capital letters are almost always the first letter in a password
***If the rules require a special character and a digit the special character and the digit will be at the end.
Simple stuff but with the tools and hardware available now it makes it almost trivial to compromise a password.
(Note: I am claiming no special expertise in password cracking just remarking on what I was reading and viewing)