My blogpost on this topic at Oversitesentry shows the NIST-80063B publication to note that a long password is better for overall security rather than a complex password policy.
The issue is that users tend to not have good habits if they are constantly having to create new passwords (every 3 months) which in effect means 4 passwords a year, and if one is a long term employee, one will have to keep up with 12 passwords in 3 years. Thus one is making all computer identity management tasks more difficult
This is one of my favorite pictures(from storyblocks.com image): Do you think human psychology has anything to do with this? Maybe we have a natural