Call to research - Password policies of most top websites fail to conform to best practices

Call to research: understand why system administrators are not following these best practices

Our findings highlight an indisputable gap between password policy research and practice. We suggest future research that directly engages with system administrators, in order to understand their mindset on password security. Researchers may then be able to uncover the reasons for the disconnect between industry and the academic community, and take steps towards reconciling the disparity.

Some hypotheses include:

Password policy is security theater: measures such as character-class PCPs, even if ineffective, may give users a false sense of security, and websites use them for this reason.
Websites have shifted their attention to adopting other authentication technologies, such as multi-factor authentication (MFA), and believe that it is unnecessary to strengthen their password policies. (Note that there are severe weaknesses in SMS-based MFA, so this view might be overoptimistic [1, 2]).
Websites need to pass security audits, and the firms who do these audits, such as Deloitte, recommend or mandate outdated practices.
Websites face some other practical constraint that the academic community does not know about.