The FTC has looked a bit into the evidence of password policies: https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-r...

However all that research is incredibly weak (like so much of infosec research). It's mostly based on observational data, so the usual caveat "correlation!=causation" applies.