Perfect Passwords: Selection, Protection, Authentication – Create Password Policies That Baffle the Bad Guys, Not Your Users
reviewed by Robert Pritchett
Authors: Mark Burnett, http://www.oreillynet.com/cs/catalog/view/au/1633 Dave Kleiman, http://www.oreillynet.com/cs/catalog/view/au/2560 Author website: Syngress Publishing Booksites: http://www.syngress.com/catalog/?pid=3420 http://www.oreilly.com/catalog/1597490415/index.html Downloadable Ebook: http://www.syngress.com/catalog/?pid=3425 Published: December 2005. Pages: 200 $25 USD, $35 CND, £15 GBP, 15€ EUR ISBN: 1597490415 Requirements: For anyone who has to deal with computer passwords – in other words - everybody. Strengths: Emphasis is on what works and not so much on what doesn’t. Weaknesses: No reference to password generators, like Steve Gibson’s at https://www.grc.com/passwords and no Perfect Passwords website with testing tools like http://www.securitystats.com/tools/password.php - yet. Words in lists include predictable cusswords – which gives the book a lower rating than it would have gotten otherwise. ApplemacPunk pointed out some other sites to look at as well: |
|
Perfect Passwords: Selection, Protection, Authentication – Create Password Policies That Baffle the Bad Guys, Not Your Users by Mark Burnett and Dave Kleiman does a great job showing what does and doesn’t work, after presenting us with studies related to what makes effecting passwords possible. The work is a study in humans tendencies and how much we all really do seem to think alike.
I like his analysis regarding human behavior and how predictable we have become. I now understand what character sets really are and that no matter what password or phrase combination I want to come up with, I need it to be at least 15 characters and not 8, and from various character sets and not just one. I also appreciate the occasional humorous entries, the “proper” way to set up secret questions and how to make “good” secret questions that don’t have answers that can come off a list somewhere.
Some strategies that are offered are password phrases instead of just plain old simplistic passwords using various types of “nyms” (a list of those and their definitions is provided).
I took great delight in reading about Email Nazi’s (my term, not the authors) and password replacements and live-times. A strong argument is offered that if the password is long (15 characters or longer), the time between replacement can be stretched out to 6 months or longer between “your password has expired, please replace” messages.
The book is portioned off into 13 short chapters and 3 long Appendices. They cover basics, weak wordlists, randomness and patterns or sequences, password cracking processes, the worst 500 passwords of all time (including some perfectly predictable cusswords) , 11 or so password pointers, 3 rules for strong passwords, a chapter on celebrating Password Day and 3 elements of authentication.
Separate password myth and nonsense and “rules of thumb” (what passes as “known”) with facts on what really works. Now go practice any of the techniques offered in this book. They are simpler than you think and don’t require a “password generator” like shown on Steve Gibson’s website. By all means, try them out in the password testers listed above. Or at least check to see if you meet the human behavior profile and use any of the words listed in the book. It really is quite revealing!
The book actually puts a welcome element of fun back into a drudge job of password maintenance and management.
