Argumentum ad antiquitatem

This post is not in Latin, but essentially a call to the Information Security industry to end policies based upon argumentum ad antiquitatem, which includes:

• Password change, complexity and length policies and standards that simply don’t make sense in the light of research and tools that show that we can crack ALL passwords in a reasonable time. It’s time to move on to two factor authentication, alternatives such as OAuth2 (i.e. Facebook/Twitter/G+ integration) or Mozilla Account Manager, and random long passphrases for all accounts.
• “Security” shared knowledge questions and answers. These are commonly used to “prove” that you have sufficient evidence of identity to resume access to an account. We see these actively exploited continuously now. Unfortunately, most familiies including ex-spouses have sufficient knowledge of the identity and access to the person’s identity documents that such questions, no matter how phrased (like “What was your favorite childhood memory”), are simply unsafe at any speed as more than ONE person knows or can guess the correct answer.
• That requiring authentication is enough to eliminate risks in your application. Identity and access management is important, but it’s only part of the picture.
• That enforcing SSL or access through a firewall is enough to eliminate risks in your application. Confidentiality and integrity of connection is vital, especially if you’re not doing it today, but it’s only part of the picture.
• That obfuscation is enough to deter hackers. Client side code is so beguiling and the UX is often amazing, but it’s not safe. Business decisions must be enforced at a trusted location, and there’s little business reason to do this twice. So let’s get that balance right.

What are some of your pet “argumentum ad antiquitatem” fallacies?