Security Myths

Last week Bruce Schneier and others blogged about the Security Myths and Passwords paper written by Professor Eugene H. Spafford concerning the best practices or “rules of thumb” that many people accept without careful consideration, particularly policies requiring regular password changes (e.g., monthly). As someone developing a password policy requiring regular password changes, in my case 90 days, I understand his logic but also disagree to some degree. Until we can move folks to using, and also requiring, long passwords as a norm, requiring period password changes, not 30 days mind you, will still be necessary.

Recently Jesper Johansson posted a blog concerning a paper he and Steve Riley wrote titled “Deconstructing Common Security Myths” which is included in the May/June issue of Technet Magazine. The paper is a good read and has a section on complex passwords vs. long password. The myths he covers are:

It's Always Better to Wait for an Official Solution to a Problem

You Should Wait Before Deploying an OS or Service Pack

Password Cracking is a Valid Way to Ensure that We Have Strong Passwords.

Passwords Must Be Complex to Be Strong.

You Can Always Roll Back Configuration Errors with Setup security.inf

NTLM Is Bad, and you Should Disable It.

Don't Allow User Names to Display Because They Leak Half the Secret You Need to Log On.

Let's Block Bad Stuff.

Security Controls Are Better When Centralized.

I've Updated. I've got Antimalware. I've got a Firewall. I'm safe.

Host-Based Firewalls Must Filter Outbound Traffic to be Safe.



Steve Mullen has been involved in information technology for over 35 years. He is also actively involved in the music program (voice and English hand bells) and Vestry of St. Anne’s Episcopal Church in Damascus, MD.

Posted in Blog, IT Management, Security, Technology

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Error: Twitter did not respond. Please wait a few minutes and refresh this page.

May 2006
« Apr   Jun »
%d bloggers like this: