http://blogs.technet.com/steriley/archive/2006/04/30/Security-myths-and-passwords.aspxI like this a lot. http://www.cerias.purdue.edu/weblogs/spaf/general/post-30/ In the practice of security we have accumulated a number of “rules of thumb” that many people accept without careful consideration. Some of these get included in policies, anden-USCommunityServer 2.1 SP1 (Build: 61025.2)http://blogs.technet.com/steriley/archive/2006/04/30/Security-myths-and-passwords.aspx#426865Mon, 01 May 2006 01:17:10 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:426865Dan HalfordI have always felt that by requiring regular password changes, site administrators do very little to improve the security of the site. They simply ensure that users pick a succession of equally insecure passwords (xxx1, xxx2, xxx3, etc). <br> <br>Password frequency is never a substitute for good operational security and user training. It doesn't take much to teach a user the difference between a bad password and a good password, and it's equally simple to convince a user why they should go to the trouble of picking a good one. <br> <br>If a good password's good to start with, it doesn't suddenly become bad 30 days later. It's secure as long as the user keeps it that way. <br> <br>Of course, should good cheap two-factor finally make itself available, this problem would be mitigated immensely.http://blogs.technet.com/steriley/archive/2006/04/30/Security-myths-and-passwords.aspx#426880Mon, 01 May 2006 08:49:20 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:426880Off CampusThis was already written up earlier today on another TechNet blog but I wanted to make note anyway in...http://blogs.technet.com/steriley/archive/2006/04/30/Security-myths-and-passwords.aspx#426952Mon, 01 May 2006 21:49:12 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:426952Tales from the CryptoSteve Riley has some good comments (okay, he simply says &amp;quot;I like this a lot&amp;quot;) on Eugene Spafford's blog...