CERIAS Weblogs » Security Myths and Passwords
Good article looking at some of the assumptions and laziness that lead to companies adopting security policies without actually thinking through the consequences for their envrionment.
Whilst I'd agree generally with the thrust of the argument (password policies forcing periodic password rotation can actually decrease rather than increase overall system security) there's a good point made in the comments by Michael Spencer , that password rotation does help by reducing the window of time that an attacker can access the information made available by a compromised account (in certain circumstances).
Overall I think that companies would be well served by actually looking at authentication policies for their environment and conducting an analysis of what would policy be the most effective for them, rather than just blindly accept "best practice" which may not be appropriate.
