Lazy, lazy people
1. Default character limit
2. Add numbers, symbols, and uppercase
3. Rotated at minimum every 3 months
What can we do to improve upon that? 2FA is a good start, personally if I were smart enough I'd create a password creation system that doesnt allow proper words from a dictionary at all.
2FA is a really good start. Definitely none of this biometric, my fingerprint is both my UID and my password crap. How about a check by sites that rely on password using a hash comparison much as was done for this study?
As far as not allowing proper words, if you just rely on the math, you could allow it if you stipulated a minimum number of words be used to get the same degree of complexity a more standard password requiring upper, lower, numeric and special characters. You might also have to adjust hashing to avoid collisions due to the greater number of characters involved. An unabridged English dictionary has about 470,000 entries (https://www.merriam-webster.com/help/faq-how-many-english-words). Knocking that down to most common words, let's call it 100,000, still gets you huge variability. More educated people are apt to have a larger vocabulary, but less educated are more likely to misspell words, so from this very loose analysis there is little practical difference in terms of resistance to brute force or dictionary attacks.
A four word pass phrase, assuming any may be capitalized, would yield somewhere around 1.6E21 combinations. Assuming 100 possible characters for use with a more standard style password, it would have to be 10 or 11 characters in length to achieve the same.
Perhaps an interesting follow up on this might be passwords as used by mobile users vs those generated from a regular keyboard.