How I wish more IT security people considered the SOCIAL aspect of their policies. =P

Onto the second rule – regularly changing the password.  Let me first say that this is a rule I hate.  Not only does it not meet the goal of protecting an account, it actually makes things worse when combined with the first rule.  Let me explain.

The reaction most users have when you tell them their password has to be (for example) at least 8 characters long and contain uppercase, lowercase, and numbers is not entirely positive.  It’s not always easy to think of a password that meets all of these requirements as well as the unspoken one; you have to remember it.  For obvious reasons, unless they’re instructed otherwise most people will choose something easy to remember like their surname followed by their birthday.  It meets the requirements and they can remember it.  To combat this, sensible administrators will explain how important it is that the password can’t be guessed and encourage another method of choosing a password.  They might suggest turning a sentence into a string of characters.  For example, the sentence “I’m going to try to remember this password” could become “ImG2t2RthP@ss”.  That’s a pretty good password – it meets all the rules, it looks very random, it will survive a dictionary attack, and most importantly it can be remembered.  Basically, it’s going to take a very long brute-force attack to guess.

Now, what if they know they’ll have to choose a new one to remember every month? Are they going to pick a hard password then?  I’d suggest that it’s far less likely that they’ll go through this process of turning a sentence into a password every month.  Even though it’s easier to remember than a random string of characters, it’s won’t stick instantly.  It might take them a few days before they can type it without thinking.  And if they have to do this every 30 days, it becomes that much harder to properly cement it in.

This is so true, and it doesn't even list all the other ways users 'game' a pword system that annoys them.

You know you've grown up when you realise Dilbert is corporate life.

The truth is most firms, at least those I've worked at, don't really care about security. They just want to appear that they care. Security is hard, and you have to be vigilant. Pretending to care means you buy some overpriced appliances and software that no one manages. When the sh*t hits the fan, you can say "well we did X, Y, and Z but hackers are evil people". The take away story for most people in the biz and the public is not HBGary got hacked and so their security stuff must suck; it's that hackers are a true menace and wild and crazy and won't someone think of the children? So then business people yell at the government and say "hey OMG! We need lots of money to protect your systems and our systems because hackers are crazy". They do this via media so it becomes news stories. Then the public starts asking "what are you going to do about it, government" and the government says "we'll fund the security people to protect your credit cards!" and in flows the money. It's a part of security theater. There are always "new" threats so you can never stop paying for security.