Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Perfect Passwords", Mark Burnett

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Ha
    BKPRFPWD.RVW 20060420 Perfect Passwords , Mark Burnett, 2006, 1-59749-041-5, U$24.95/C$34.95 %A Mark Burnett %C 800 Hingham Street, Rockland, MA 02370
    Message 1 of 1 , Jun 5, 2006
    • 0 Attachment
      BKPRFPWD.RVW 20060420

      "Perfect Passwords", Mark Burnett, 2006, 1-59749-041-5,
      %A Mark Burnett
      %C 800 Hingham Street, Rockland, MA 02370
      %D 2006
      %G 1-59749-041-5
      %I Syngress Media, Inc.
      %O U$24.95/C$34.95 781-681-5151 fax: 781-681-3585 amy@...
      %O http://www.amazon.com/exec/obidos/ASIN/1597490415/robsladesinterne
      %O http://www.amazon.ca/exec/obidos/ASIN/1597490415/robsladesin03-20
      %O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
      %P 181 p.
      %T "Perfect Passwords: Selection, Protection, Authentication"

      Those of us in the security field know that users are generally bad at
      creating passwords, and that passwords that are easily guessed or
      found account for huge numbers of security incidents. Therefore, I am
      in full sympathy with a book that attempts to lay out some guidance on
      password choice. However, Burnett's work calls to mind the old joke
      that lists all kinds of restrictions on password selection, and
      finally admits that only one possible password actually fits the
      criteria, and will all users please contact tech support to be issued
      with that password.

      Chapter one tells us that people choose weak passwords, and gives a
      number of lists of such poor choices, without an awful lot of
      explanation. (Burnett also states that the choice of strong passwords
      provides non-repudiation, which is a rather strange position. One
      could make a case that the deliberate choice of a vulnerable password
      would allow the user to later claim that their account had been
      hacked, and therefore assist with repudiation, but the reverse doesn't
      necessarily hold.) Various types of password cracking techniques are
      given in chapter two. This begins to show the inconsistencies and
      contradictions that plague the text: at one point we are told that any
      password less than fifteen characters is "immediately" available to
      attackers, but elsewhere it is suggested that a ten character password
      is a wise choice. (Although brute force cracking is discussed
      extensively, there is, oddly, no mention of the implications of
      Moore's Law.) There is a good discussion of the vital issue of
      randomness in chapter three, although there are numerous gaps, and,
      again, erratic suggestions. Chapter four covers character sets and
      address space. Unfortunately, it is rather impractical (as are other
      areas of the manual) due to a lack of recognition of character
      restrictions. Password length is addressed in chapter five, covering
      many of the same concepts as in four. It is also the most useful of
      the material to this point in the book, suggesting ways to lengthen
      and harden passwords already chosen and preferred. (Some of the
      advice is suspect: bracketing is easy to add to automated password
      cracking programs, and even Burnett admits that "colorization" is a
      weak idea due to the limitations on selection.) Chapter six takes an
      extremely terse and abbreviated look at password aging, but all that
      is really said is that it is inconvenient. Miscellaneous advice about
      using, remembering, storing, and managing passwords is given in
      chapter seven. Chapter eight provides password creations tips, but
      these are, after some of the previous material in the book, rather
      weak, and typically boil down to the use of passphrases and long
      passwords. Five hundred weak passwords are listed in chapter nine,
      but the purpose of the list is not clear. As with chapter one, the
      passwords are not analysed for strength in any way, and, even if you
      want to check your favourite against the list, it isn't in
      alphabetical order. Additional password creation tips are in chapter
      ten, these slightly more useful. We are told, in chapter eleven, to
      make complex passwords, uncommon passwords, and not to tell anyone our
      passwords. Chapter twelve suggests having a regular "password day"
      set aside to concentrate on changing passwords and creating strong
      ones. Other forms of authentication are discussed in chapter

      While the advice and information given in the book is not bad, it
      seems to posit a fairly ideal world. A number of practical items can
      assist users with password choice, but a number of realistic
      considerations are ignored. Readers may also be confused by the lack
      of constancy in the recommendations. Certainly the structure of the
      text could use work: concepts are repeated in different chapters, and
      the advice seems to be aggregated and presented at random.

      There is good advice in this manual, but it lacks focus. The average
      computer user would probably receive a lot of benefit, but is unlikely
      to purchase or read anything this size on this topic. (A pocket sized
      volume, along the lines of the O'Reilly "Desktop Reference" series
      would be ideal.) System administrators would be able to understand
      and use the material in the book, although much of the content is
      either known or available. On balance, I would recommend that this
      primer is important, but definitely needs work.

      copyright Robert M. Slade, 2006 BKPRFPWD.RVW 20060420

      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      "Dictionary of Information Security" Syngress (forthcoming) 1597491152
      Those who are too smart to engage in politics are punished by
      being governed by those who are dumber. - Plato (427-347 B.C.)
    Your message has been successfully submitted and would be delivered to recipients shortly.