A new research paper by Microsoft examines the economics of "security advice" and how users react to password rules, phishing URLs and certificate errors.  Their conclusion on password rules is similar to the one that we discussed here in the SANS ISC diary a couple weeks ago.