This isn't the OWASP Top 10 list, but it's still very handy. Top 10 Dumb Computer Security Notions. I'm particularly fond of the "security can't be perfect; since it can't be perfect, why bother?" approach. One other notion that amuses me is the silliness of changing a password every 90 days. The argument is that "it's harder to hit a moving target". That's obviously false. A good rainbow table and a bad password without salt can be broken in about half an hour. There's no "moving target" here. At 30 minutes to crack a password, the only way the target can appear to move is making every password a 1-time-only password based on some kind of external source (like a token generator.)