One key finding that the team confirmed (through research on groups of people asked to create passwords with all sorts of technical requirements and then recall them days later) was that when people are told that a password must include both letters and a minimum of one number, they typically create a password with all characters but one being letters and place the number at the end of the password. Mathematically speaking, the regularity of such a scheme dramatically lowers the number of possibilities that hacking engines would need to guess in order to crack a password with brute force. While certainly not all passwords follow such a model, a criminal utilizing an engine that leverages knowledge of such a human predictability is likely to successfully breach many accounts far faster than one who does not.Other issues are also present such as the tendency to use certain words and phrases together, use commonly known dates in passwords and so on. Unfortunately this all relates to human behavior and is difficult to overcome.
The study also found that when password requirements demanded a minimum length of 16 characters, people tended to repeat words within their passwords – curtailing by orders of magnitude the effort that a hacking engine armed with knowledge of human behavior would need to make in order to compromise many accounts. (Some people obviously repeat words within passwords of lengths less than 16 characters, but, at 16 characters a consistent pattern of this problem emerges.)
The article does have some suggestions but I don't know how useful you will find them.