[ISN] REVIEW: "Perfect Passwords", Mark Burnett

InfoSec News isn at c4i.org
Tue Jun 6 06:04:01 EDT 2006 

Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rMslade at shaw.ca>

BKPRFPWD.RVW   20060420

"Perfect Passwords", Mark Burnett, 2006, 1-59749-041-5,
U$24.95/C$34.95
%A   Mark Burnett
%C   800 Hingham Street, Rockland, MA   02370
%D   2006
%G   1-59749-041-5
%I   Syngress Media, Inc.
%O   U$24.95/C$34.95 781-681-5151 fax: 781-681-3585 amy at syngress.com
%O  http://www.amazon.com/exec/obidos/ASIN/1597490415/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/1597490415/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1597490415/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   181 p.
%T   "Perfect Passwords: Selection, Protection, Authentication"

Those of us in the security field know that users are generally bad at
creating passwords, and that passwords that are easily guessed or
found account for huge numbers of security incidents.  Therefore, I am
in full sympathy with a book that attempts to lay out some guidance on
password choice.  However, Burnett's work calls to mind the old joke
that lists all kinds of restrictions on password selection, and
finally admits that only one possible password actually fits the
criteria, and will all users please contact tech support to be issued
with that password.

Chapter one tells us that people choose weak passwords, and gives a
number of lists of such poor choices, without an awful lot of
explanation.  (Burnett also states that the choice of strong passwords
provides non-repudiation, which is a rather strange position.  One
could make a case that the deliberate choice of a vulnerable password
would allow the user to later claim that their account had been
hacked, and therefore assist with repudiation, but the reverse doesn't
necessarily hold.)  Various types of password cracking techniques are
given in chapter two.  This begins to show the inconsistencies and
contradictions that plague the text: at one point we are told that any
password less than fifteen characters is "immediately" available to
attackers, but elsewhere it is suggested that a ten character password
is a wise choice.  (Although brute force cracking is discussed
extensively, there is, oddly, no mention of the implications of
Moore's Law.)  There is a good discussion of the vital issue of
randomness in chapter three, although there are numerous gaps, and,
again, erratic suggestions.  Chapter four covers character sets and
address space.  Unfortunately, it is rather impractical (as are other
areas of the manual) due to a lack of recognition of character
restrictions.  Password length is addressed in chapter five, covering
many of the same concepts as in four.  It is also the most useful of
the material to this point in the book, suggesting ways to lengthen
and harden passwords already chosen and preferred.  (Some of the
advice is suspect: bracketing is easy to add to automated password
cracking programs, and even Burnett admits that "colorization" is a
weak idea due to the limitations on selection.)  Chapter six takes an
extremely terse and abbreviated look at password aging, but all that
is really said is that it is inconvenient.  Miscellaneous advice about
using, remembering, storing, and managing passwords is given in
chapter seven.  Chapter eight provides password creations tips, but
these are, after some of the previous material in the book, rather
weak, and typically boil down to the use of passphrases and long
passwords.  Five hundred weak passwords are listed in chapter nine,
but the purpose of the list is not clear.  As with chapter one, the
passwords are not analysed for strength in any way, and, even if you
want to check your favourite against the list, it isn't in
alphabetical order.  Additional password creation tips are in chapter
ten, these slightly more useful.  We are told, in chapter eleven, to
make complex passwords, uncommon passwords, and not to tell anyone our
passwords.  Chapter twelve suggests having a regular "password day"
set aside to concentrate on changing passwords and creating strong
ones.  Other forms of authentication are discussed in chapter
thirteen.

While the advice and information given in the book is not bad, it
seems to posit a fairly ideal world.  A number of practical items can
assist users with password choice, but a number of realistic
considerations are ignored.  Readers may also be confused by the lack
of constancy in the recommendations.  Certainly the structure of the
text could use work: concepts are repeated in different chapters, and
the advice seems to be aggregated and presented at random.

There is good advice in this manual, but it lacks focus.  The average
computer user would probably receive a lot of benefit, but is unlikely
to purchase or read anything this size on this topic.  (A pocket sized
volume, along the lines of the O'Reilly "Desktop Reference" series
would be ideal.)  System administrators would be able to understand
and use the material in the book, although much of the content is
either known or available.  On balance, I would recommend that this
primer is important, but definitely needs work.

copyright Robert M. Slade, 2006   BKPRFPWD.RVW   20060420


======================  (quote inserted randomly by Pegasus Mailer)
rslade at vcn.bc.ca     slade at victoria.tc.ca     rslade at computercrime.org
"Dictionary of Information Security" Syngress (forthcoming) 1597491152
Any fool can criticize, condemn and complain - and most do.
                                         - Dale Carnegie (1888-1955)
http://victoria.tc.ca/techrev/rms.htm

More information about the ISN mailing list