Secure Password Policies

Password policies are created so that users can create a strong password that can withstand attacks. But there are still many cases in the news where we can read that passwords are cracked and result in data breaches. This indicates that there are still problems with passwords when used in authentication. Creating policies that result in strong passwords and sufficient usability is still a problem. Users react to different criteria in different ways which results in different approaches they have when creating passwords.

In what way do users adhere to the different criteria and how do they counter difficult criteria? How can we use this when we try to break passwords and help create more secure passwords?