Last week Bruce Schneier and others blogged about the Security Myths and Passwords paper written by Professor Eugene H. Spafford concerning the best practices or “rules of thumb” that many people accept without careful consideration, particularly policies requiring regular password changes (e.g., monthly). As someone developing a password policy requiring regular password changes, in my case 90 days, I understand his logic but also disagree to some degree. Until we can move folks to using, and also requiring, long passwords as a norm, requiring period password changes, not 30 days mind you, will still be necessary.
Recently Jesper Johansson posted a blog concerning a paper he and Steve Riley wrote titled “Deconstructing Common Security Myths” which is included in the May/June issue of Technet Magazine. The paper is a good read and has a section on complex passwords vs. long password. The myths he covers are:
It's Always Better to Wait for an Official Solution to a Problem
You Should Wait Before Deploying an OS or Service Pack
Password Cracking is a Valid Way to Ensure that We Have Strong Passwords.
Passwords Must Be Complex to Be Strong.
You Can Always Roll Back Configuration Errors with Setup security.inf
NTLM Is Bad, and you Should Disable It.
Don't Allow User Names to Display Because They Leak Half the Secret You Need to Log On.
Let's Block Bad Stuff.
Security Controls Are Better When Centralized.
I've Updated. I've got Antimalware. I've got a Firewall. I'm safe.
Host-Based Firewalls Must Filter Outbound Traffic to be Safe.