BCA Month Beauty Fall Reading Hallo nav_sap_plcc_ascpsc Learn more about Amazon Music Unlimited $69.99 Handmade Gift Shop hgg17 Save $30 on a Deep Cleaning Appointment curbpremiere curbpremiere curbpremiere  Three new members of the Echo family All-New Fire HD 8, starting at $79.99 All-New Kindle Oasis GNO Shop Now HTL17_gno

Customer Review

on March 17, 2006
I never thought I would find a whole book about passwords to be interesting, but I really like Mark Burnett's Perfect Passwords. This short book (134 pages without the appendices, which can be ignored) is remarkably informative. I recommend anyone developing password policies or security awareness training reading Perfect Passwords.

The book is unique because the author bases many of his recommendations on research, not theory. He says that over the course of his consulting career he has collected somewhere between 3 and 4 million passwords. (This seems somewhat suspicious, but I suppose dropping the usernames would make that practice acceptable.) By performing statistical analysis on those millions of real passwords, the author knows exactly what makes a bad password.

Perfect Passwords does a good job dispelling common password policy myths. I was glad to hear him report that changing passwords once a month is a stupid idea. A weak password is not "protected" by a monthly change, since it can be broken in a matter of hours. Instead, use 15 or more characters in passwords, and change them less frequently (perhaps every 6 or 12 months, depending on sensitivity).

The author also rightfully criticizes "secret questions" and stand-alone biometrics. Both systems suffer an important flaw: "the answer to the question is usually a fact that will never change," like the make of your first car or your fingerprint. If secret questions must be used, add a three-digit code to the answer. With biometrics, always accompany them with a password.

I had no major problems with Perfect Passwords. I did think that 21 pages of words in Appendix B and 16 pages of numbers in Appendix C didn't serve any real purpose. I thought the hand-drawn figures seemed really weak in places (Figure 3.1 is a lawn sprinkler?). One mathematical note -- pp 43-44 discuss combinations vs permutations. With permutations, it's important to note whether a number can be selected repeatedly, or only once. With a lottery (the book's example), numbers are usually selected once. So, the permutations for a three digit lottery yield 10 * 9 * 8 = 720 possibilities, not 1000.

Overall I liked Perfect Passwords. This is a great addition to any security professional's library, and it contains many sound suggestions.
0Comment| 19 people found this helpful. Was this review helpful to you?YesNoReport abuse| Permalink
What's this?

What are product links?

In the text of your review, you can link directly to any product offered on Amazon.com. To insert a product link, follow these steps:
1. Find the product you want to reference on Amazon.com
2. Copy the web address of the product
3. Click Insert product link
4. Paste the web address in the box
5. Click Select
6. Selecting the item displayed will insert text that looks like this: [[ASIN:014312854XHamlet (The Pelican Shakespeare)]]
7. When your review is displayed on Amazon.com, this text will be transformed into a hyperlink, like so:Hamlet (The Pelican Shakespeare)

You are limited to 10 product links in your review, and your link text may not be longer than 256 characters.