> There is reason to believe that the more “strength requirements” we impose on people, the worse the passwords that they create may get.

I'd love to see empirical evidence of this.

Has anyone compared password requirements against password strength from leaked passwords? I've been Googling, but have not found it.