Perfect Password: Selection, Protection, Authentication

Review For: "Perfect Passwords: Selection, Protection, Authentication", ISBN 1597490415, by Mark Burnett, 2005 There are LOTS and LOTS of tips and tricks in this book for forming long, memorable, and hard-to-crack passwords. But if all you're interested in is the Meat and Potatoes, I can shortcut the matter and give it to you here: "The Perfect Password" has eight (8) elements to it: 1. It has UPPERCASE letters (ABC...). 2. It has lowercase letters (def...). 3. It has numbers (123...). 4. It has spaces (" "). 5. It has punctuation (.,:;-!? and the like, usually used in sentences). 6. It has symbols (@ & +=>$#*^~ and the like, usually NOT used in sentences). <br />7. It has respelling (i.e., no words that can be found in a <br /> dictionary -- for example, using "kwean", and not "queen"). <br />8. It has more than 15 characters, and the more the better. <br /> <br />That's it, Jack! If you can easily come up, on the spur of the moment, with a passphrase or password which meets ALL of these criteria, AND which is easy to remember... then YOU DON'T NEED TO BUY THIS BOOK, you've already got it made! <br /> <br />Otherwise, the aforementioned Tips & Tricks will come in very very handy. And not only that, it's (surprisingly!) entertaining, too -- like the annectdote about the author's 5-year-old son, whose password was: <br /> <br />"ooooooooooooooo" <br /> <br />(Shux, his son liked the letter "o", and he could count to the minimum password length of 15, so that's what the lil' kidlet tyke used, LOL!) <br /> <br />Buy this book. Please trust me, you won't be sorry. :)

When I saw this book, I thought the same thing you are probably thinking ... how could you have a whole book on this subject? Then I read the quotes from luminaries on the back cover, and I figured they were just friends of the author and hadn't bothered to read the book. Well. This is a short book, but it's amazingly complete on the subject. I don't agree 100% with all of the policy advice he gives, but it's fascinating to read the real-life password analyses he's done. If you are just someone who wants to pick better passwords for yourself, you *might* like this book. If you are an admin trying to figure out a sensible password policy for your bailiwick, I *strongly recommend* this book to you. It won't take you long to read it, and you are almost certainly going to get some insights even if you are pretty experienced already. (I am, and I did.) I'm glad I bought it, and I'm glad I read it.

This is unique book -- hence the 5 stars. It's a quick read, you'll likely be able to finish it in a short evening. The book is what it says -- it deals only with passwords from a mathematical basis. There are no implementation details on different OSes. But, it doesn't promulgate the typical complex, elusive passwords that system administrators typically love. It suggests first making passwords memorable, then long, then complex -- through different character sets. There are a surprising variety of strategies which emerge. This approach can assist system administrators in developing relatively secure but easy to remember terms. There's an informal presentation of statistics to support the presentation. An invaluable book for system admins in an insecure world.

Mark has made a great, quick, must-read book on passwords. I had read a few chapters of it before it was published (my quote is on the back cover), and liked it, but the overall book should be read by all system administrators. It contains commonsense, practical advice, just more of it than most of us have thought about alone-all in one place. I think every system administrator will see one or two of their own personal passwords in the book...which is a wake-up call. I was able to quickly read/skim the entire book, pull out all the useful tips in under an hour while my daughter was getting her braces tightened. A complete slow read would probably take a day. I think all system administrators should buy and understand this book. Roger A. Grimes

I never thought I would find a whole book about passwords to be interesting, but I really like Mark Burnett's Perfect Passwords. This short book (134 pages without the appendices, which can be ignored) is remarkably informative. I recommend anyone developing password policies or security awareness training reading Perfect Passwords. The book is unique because the author bases many of his recommendations on research, not theory. He says that over the course of his consulting career he has collected somewhere between 3 and 4 million passwords. (This seems somewhat suspicious, but I suppose dropping the usernames would make that practice acceptable.) By performing statistical analysis on those millions of real passwords, the author knows exactly what makes a bad password. Perfect Passwords does a good job dispelling common password policy myths. I was glad to hear him report that changing passwords once a month is a stupid idea. A weak password is not "protected" by a monthly change, since it can be broken in a matter of hours. Instead, use 15 or more characters in passwords, and change them less frequently (perhaps every 6 or 12 months, depending on sensitivity). The author also rightfully criticizes "secret questions" and stand-alone biometrics. Both systems suffer an important flaw: "the answer to the question is usually a fact that will never change," like the make of your first car or your fingerprint. If secret questions must be used, add a three-digit code to the answer. With biometrics, always accompany them with a password. I had no major problems with Perfect Passwords. I did think that 21 pages of words in Appendix B and 16 pages of numbers in Appendix C didn't serve any real purpose. I thought the hand-drawn figures seemed really weak in places (Figure 3.1 is a lawn sprinkler?). One mathematical note -- pp 43-44 discuss combinations vs permutations. With permutations, it's important to note whether a number can be selected repeatedly, or only once. With a lottery (the book's example), numbers are usually selected once. So, the permutations for a three digit lottery yield 10 * 9 * 8 = 720 possibilities, not 1000. Overall I liked Perfect Passwords. This is a great addition to any security professional's library, and it contains many sound suggestions.