Like many academics, I think that many security policies and procedures are a tad draconian and based on superstition rather than evidence. One of my pets that I often rail about is the requirement that individuals change passwords on some fixed schedule; I’m still looking for any evidence that these requirements actually make our institutions…