Excellent article by Gene Spafford about threads regarding password policies. Best article on the topic I’ve seen yet – and lots of wisdom to use for your own security related discussions.
“From a high-level perspective, let me observe that one problem with any widespread change policy is that it fails to take into account the various threats and other defenses that may be in place. Policies should always be based on a sound understanding of risks, vulnerabilities, and defenses. â€œBest practiceâ€ is intended as a default policy for those who donâ€™t have the necessary data or training to do a reasonable risk assessment.”