Behavioural biometrics have the potential to provide an additional or alternative authentication mechanism to those involving a shared secret (i.e., a password). Keystroke timings are the focus of this study, where key press and release timings are acquired whilst monitoring a user typing a known phrase. Many studies exist in keystroke biometrics, but there is an absence of literature aiming to understand the relationship between characteristics of password policies and the potential of keystroke biometrics. Furthermore, benchmark data sets used in keystroke biometric research do not enable useful insights into the relationship between their capability and password policy. In this work, we consider substitutions of uppercase, numeric, special characters, and their combination on passwords derived from English words. We acquire timings for 42 participants for the same 40 passwords. We implement a matching system using the Manhattan distance measure with seven different feature sets, culminating in an Equal Error Rate of between 6-11% and accuracy values between 89-94%, demonstrating comparable accuracy to other threshold-based systems. Further analysis suggests that the best feature sets are those containing all timings and trigraph press to press. Evidence also suggests that phrases containing fewer characters have greater accuracy, except for those with special character substitutions.