It may be natural to think that more security is better than less security, but that is myth--and just one among many security myths accepted as conventional wisdom. Network World's Ellen Messmer presents 13 favorite security myths from security experts, vendors and consultants.

"First security is always a trade-off, and sometimes additional security costs more than it's worth," explains security guru Bruce Schneier. "For example, it's not worth spending $100,000 to protect a donut. Yes, the donut would be more secure, but it would make more sense to simply risk the donut."

What's more, Schneier says, adding security brings diminishing returns. An initial security outlay may bring a certain percentage increased security, but to double that percentage would cost more than doubling the initial outlay.

Another common security myth these days, according to Carl Herberger, vice president of security solutions at Radware, is that bandwidth can solve the problem of distributed denial of service attacks. In the last year or so, more than half of DDoS attacks were application-oriented and adding bandwidth can facilitate this kind of attack. Today, approximately one-fourth of DDoS attacks can be addressed by boosting bandwidth, Herberger says.

Password security comes with a host of myths, a big one being that expiring them every 90 days will strengthen the system. "I think this is like the nutritional advice that urges us to drink eight glasses of water a day," says Ari Juels, chief scientist at RSA. "In fact, recent research suggests that regular password expiration may not be useful." Expiring passwords on a random schedule may be a far better security measure.

Another password-related myth is that users should come up with random passwords. The truth is, random passwords have their own disadvantages, such as being hard to remember and unwieldy to type, says Kevin Haley, director of Symantec security response. It is better, Haley says, to come up with a phrase you can remember as long as it has at least 14 characters, uses both upper- and lower-case letters, numbers and symbols.

The notion that software security hasn't improved over the years is a myth in itself, at least according to Gary McGraw, chief technology officer at Cigital. McGraw insists that the industry has improved greatly, having gained a much better understanding of safe coding practices. "The defect density ratio is going down," he says, adding that the total volume of code has ballooned making it seem like the percentage of vulnerabilities hasn't fallen.

For more:
- see Ellen Messner's article at Network World

Related Articles:
CFOs should be more involved in security planning
Who's who in information security