- Paperback: 182 pages
- Publisher: Syngress; 1 edition (December 25, 2005)
- Language: English
- ISBN-10: 1597490415
- ISBN-13: 978-1597490412
- Product Dimensions: 6.2 x 0.5 x 8.9 inches
- Shipping Weight: 9.6 ounces (View shipping rates and policies)
- Average Customer Review: 4.3 out of 5 stars See all reviews (9 customer reviews)
- Amazon Best Sellers Rank: #898,911 in Books (See Top 100 in Books)
Enter your mobile number or email address below and we'll send you a link to download the free Kindle App. Then you can start reading Kindle books on your smartphone, tablet, or computer - no Kindle device required.
To get the free app, enter your mobile phone number.
Perfect Passwords: Selection, Protection, Authentication 1st Edition
Use the Amazon App to scan ISBNs and compare prices.
Customers Who Bought This Item Also Bought
Top Customer Reviews
The book is unique because the author bases many of his recommendations on research, not theory. He says that over the course of his consulting career he has collected somewhere between 3 and 4 million passwords. (This seems somewhat suspicious, but I suppose dropping the usernames would make that practice acceptable.) By performing statistical analysis on those millions of real passwords, the author knows exactly what makes a bad password.
Perfect Passwords does a good job dispelling common password policy myths. I was glad to hear him report that changing passwords once a month is a stupid idea. A weak password is not "protected" by a monthly change, since it can be broken in a matter of hours. Instead, use 15 or more characters in passwords, and change them less frequently (perhaps every 6 or 12 months, depending on sensitivity).
The author also rightfully criticizes "secret questions" and stand-alone biometrics. Both systems suffer an important flaw: "the answer to the question is usually a fact that will never change," like the make of your first car or your fingerprint. If secret questions must be used, add a three-digit code to the answer. With biometrics, always accompany them with a password.
I had no major problems with Perfect Passwords. I did think that 21 pages of words in Appendix B and 16 pages of numbers in Appendix C didn't serve any real purpose. I thought the hand-drawn figures seemed really weak in places (Figure 3.1 is a lawn sprinkler?). One mathematical note -- pp 43-44 discuss combinations vs permutations. With permutations, it's important to note whether a number can be selected repeatedly, or only once. With a lottery (the book's example), numbers are usually selected once. So, the permutations for a three digit lottery yield 10 * 9 * 8 = 720 possibilities, not 1000.
Overall I liked Perfect Passwords. This is a great addition to any security professional's library, and it contains many sound suggestions.
Contents: Passwords - The Basics and Beyond; Meet Your Opponent; Is Random Really Random?; Character Diversity - Beyond the Alphabet; Password Length - Making It Count; Time - The Enemy of All Secrets; Living with Passwords; Ten Password Pointers - Building Strong Passwords; The 500 Worst Passwords of All Time; Another Ten Password Pointers Plus a Bonus Pointer; The Three Rules for Strong Passwords; Celebrate Password Day; The Three Elements of Authentication; Test Your Password; Random Seed Words; Complete Randomness; Index
If you've been around computer systems for any time, you've heard the conventional wisdom on creating secure passwords. And regardless of how many times it's said, you still get users picking the word "password" for access to the payroll system. Burnett has created an easy-to-read, easily-understood guide on how passwords work, how passwords are usually chosen, and why most of those methods are really bad. But rather than just be gloom and doom, he also presents a number of techniques for generating long passwords that are easy to remember but that will resist virtually all efforts at password cracking. For instance, passwords of 15 to 20 characters with a mix of upper case, lower case, numbers, and special characters are resistant to every known form of cracking attempt (even rainbow lists). But how do you pick a word or words that meet that criteria? Maybe you use rhyming (poor-white-dog-bite) or repetition (email@example.com). Visualization is pretty good, too (Frozen banana in my shoe.) The phrases are nonsensical, but that's why they are not "guessable". And the diversity of the character set coupled with the length of the phrase means that the permutation possibilities are astronomical and can't even begin to be brute-forced with today's technology.
I'm not sure you could get every user in your company to read the book, but it'd be worth trying. It's a fast read at only 180 pages, and they could even benefit just by making sure their password isn't in the top 500 list. :)
Most Recent Customer Reviews
There are LOTS and LOTS of tips and tricks in this book...Read more