Recently, as noted on Slashdot, Gene Spafford, author of Practical Unix and Internet Security and one of the first analyses of the Morris Worm posted an entry on his blog titled "Security Myths and Passwords."

Spafford's blog entry discusses the various vulnerabilities inherent in password based authentication and why, he thinks, password expiration is a pointless vestige of a bygone era:
http://www.cerias.purdue.edu/weblogs/spaf/general/post-30/

Prof. Spafford is a widely reconigzed expert in computer security. People listen to him and this is what makes his recent post so frustrating for me. His chief claim is that password expiration, a commonly recognized "best practice," has been held over from the days of mainframe computing but really offers no benefit today. Unfortunately, he's got it wrong.

I'm in San Diego attending LISA this week. LISA is, by far, the most useful conference I've ever attended. It also happens to be the best place in the world to meet the authors of one's favorite O'Reilly books. So far I've seen Tom Limoncelli, Randal Schwartz, Elizabeth Zwicky and AEleen Frisch roaming the halls. There are surely others that I've missed. I just wish that I'd brought all of my books with me.

One of the big things happening at LISA this year is LOPSA. LOPSA, the League of Professional System Administrators, was formed by the elected board of SAGE after USENIX decided to not turn SAGE in to a separate organization (it's a very long story best saved for another time).