"Research has shown, however, that users respond in very predictable ways to the requirements imposed by composition rules."
I'm not disputing this statement, but there is no reference to the supporting research either. I get that this isn't an academic paper, but I'd be curious to see the research they're referring to nonetheless. Does anyone here happen to know what they may have relied on for that claim?
However all that research is incredibly weak (like so much of infosec research). It's mostly based on observational data, so the usual caveat "correlation!=causation" applies.
"Research has shown, however, that users respond in very predictable ways to the requirements imposed by composition rules."
I'm not disputing this statement, but there is no reference to the supporting research either. I get that this isn't an academic paper, but I'd be curious to see the research they're referring to nonetheless. Does anyone here happen to know what they may have relied on for that claim?