The primary objective of a theoretically sound password formulation policy is password diversity – we want our identity system to contain lots of different, hard to guess passwords.
There are several ways to achieve this but unfortunately most of the common approaches in use today, such as length requirements, complexity requirements, and change requirements, are far from helpful.