Re: The Usual Response...
rules about changing every one to three months, demanding mixes of upper case, lower case, special characters, numbers, no repeated characters
Aside from the last, none of those should be any real impediment to using real-world passphrases. It's quite easy to construct natural-language phrases which "naturally" (i.e. in a manner familiar to a reader of that language) include mixed case, punctuation, and numerals. And memorizing such phrases is not particularly difficult, so having to change them periodically isn't a problem either.1
One technique is to choose words at random from a dictionary until you can assemble a phrase in the style of a newspaper headline; then add a numeral and some punctuation. For example, here's a few I selected from a list of words I extracted at random from aspell's US-English dictionary:
Norrie's, cashier, unstable, syphilis, unmanageable, newsreel, show
I just chose those from the first screenful, in about 10 seconds of looking. From those I could make:
Cashier Norrie's unstable syphilis unmanageable; newsreel shown at 11:00
That's shouldn't take much effort to memorize, and the use of capitalization, punctuation, and numerals is natural.
Now, that doesn't have a ton of information entropy. With Shannon's estimate of around 1.5 bits of entropy per English letter, we have only "about" 110 bits at best from the text. Since the capitalization is natural, an attacker who knows our scheme (Kerckhoff's Principle) can guess those, so that adds nothing. Similarly the use of numerals and punctuation isn't contributing a lot.
Now 110 bits still sounds pretty good (much better than that 8-character NTLM minimum password), but some experts think Shannon's estimate is too high in this context, particularly if attackers apply well-trained models to the problem. Someone who duplicated my aspell-based dictionary (around 150K words) and tagged them with part-of-speech information, then trained a model on plausible headline-style phrase structuring, could narrow the search space down quite a lot.
Still, if you really want passphrases you can memorize, you can accommodate quite a lot of those largely-pointless password restrictions. The tough ones are length limitations and especially idiotic prohibitions like the one on repeated characters.
1And, of course, you can always use a passphrase manager blah blah we've all read a thousand posts pointing this out.