BKPRFPWD.RVW 20060420 "Perfect Passwords", Mark Burnett, 2006, 1-59749-041-5, U$24.95/C$34.95 %A Mark Burnett %C 800 Hingham Street, Rockland, MA 02370 %D 2006 %G 1-59749-041-5 %I Syngress Media, Inc. %O U$24.95/C$34.95 781-681-5151 fax: 781-681-3585 amy@syngress.com %O http://www.amazon.com/exec/obidos/ASIN/1597490415/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1597490415/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1597490415/robsladesin03-20 %O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation) %P 181 p. %T "Perfect Passwords: Selection, Protection, Authentication" Those of us in the security field know that users are generally bad at creating passwords, and that passwords that are easily guessed or found account for huge numbers of security incidents. Therefore, I am in full sympathy with a book that attempts to lay out some guidance on password choice. However, Burnett's work calls to mind the old joke that lists all kinds of restrictions on password selection, and finally admits that only one possible password actually fits the criteria, and will all users please contact tech support to be issued with that password. Chapter one tells us that people choose weak passwords, and gives a number of lists of such poor choices, without an awful lot of explanation. (Burnett also states that the choice of strong passwords provides non-repudiation, which is a rather strange position. One could make a case that the deliberate choice of a vulnerable password would allow the user to later claim that their account had been hacked, and therefore assist with repudiation, but the reverse doesn't necessarily hold.) Various types of password cracking techniques are given in chapter two. This begins to show the inconsistencies and contradictions that plague the text: at one point we are told that any password less than fifteen characters is "immediately" available to attackers, but elsewhere it is suggested that a ten character password is a wise choice. (Although brute force cracking is discussed extensively, there is, oddly, no mention of the implications of Moore's Law.) There is a good discussion of the vital issue of randomness in chapter three, although there are numerous gaps, and, again, erratic suggestions. Chapter four covers character sets and address space. Unfortunately, it is rather impractical (as are other areas of the manual) due to a lack of recognition of character restrictions. Password length is addressed in chapter five, covering many of the same concepts as in four. It is also the most useful of the material to this point in the book, suggesting ways to lengthen and harden passwords already chosen and preferred. (Some of the advice is suspect: bracketing is easy to add to automated password cracking programs, and even Burnett admits that "colorization" is a weak idea due to the limitations on selection.) Chapter six takes an extremely terse and abbreviated look at password aging, but all that is really said is that it is inconvenient. Miscellaneous advice about using, remembering, storing, and managing passwords is given in chapter seven. Chapter eight provides password creations tips, but these are, after some of the previous material in the book, rather weak, and typically boil down to the use of passphrases and long passwords. Five hundred weak passwords are listed in chapter nine, but the purpose of the list is not clear. As with chapter one, the passwords are not analysed for strength in any way, and, even if you want to check your favourite against the list, it isn't in alphabetical order. Additional password creation tips are in chapter ten, these slightly more useful. We are told, in chapter eleven, to make complex passwords, uncommon passwords, and not to tell anyone our passwords. Chapter twelve suggests having a regular "password day" set aside to concentrate on changing passwords and creating strong ones. Other forms of authentication are discussed in chapter thirteen. While the advice and information given in the book is not bad, it seems to posit a fairly ideal world. A number of practical items can assist users with password choice, but a number of realistic considerations are ignored. Readers may also be confused by the lack of constancy in the recommendations. Certainly the structure of the text could use work: concepts are repeated in different chapters, and the advice seems to be aggregated and presented at random. There is good advice in this manual, but it lacks focus. The average computer user would probably receive a lot of benefit, but is unlikely to purchase or read anything this size on this topic. (A pocket sized volume, along the lines of the O'Reilly "Desktop Reference" series would be ideal.) System administrators would be able to understand and use the material in the book, although much of the content is either known or available. On balance, I would recommend that this primer is important, but definitely needs work. copyright Robert M. Slade, 2006 BKPRFPWD.RVW 20060420