Burnett knows a lot about passwords, because he's analyzed over a million of them. His research shows that most passwords are much less secure than their users believe. We all know people who choose passwords like "LetMeIn" with the misplaced expectation that they've hit on the perfect code. We're not so naive.

More sophisticated users employ password "strategies" -- little systems for creating passwords that presumably nobody will figure out. For example, a character substitution strategy that replaces certain letters with similar-looking digits (e.g., "s3cr3t5" mutated from "secrets") seems like it should be a vast improvement over ordinary dictionary words as passwords. Burnett shows how far wrong that intuition can be, by demonstrating the vulnerability of that and myriad other supposedly safe password strategies.

Sometimes users have random character string passwords forced upon them by well-meaning systems, but users can rarely commit such strings to memory and thus resort to writing them down, which leaves even complex passwords open to sudden compromise. Or a system can try to demand complexity by insisting that passwords contain a mix of letters and numbers -- a requirement most users readily circumvent. Even the common practice of frequently changing passwords is foiled by users making minor, but predictable, modifications to their previous password.

The solution to the password problem, Burnett points out, is understanding the ways hackers crack passwords, and knowing how to predict the vulnerabilities of a given password strategy. Armed with this information, and the handy tips the author provides, you can create passwords that are secure, compliant with strict password policies, and still memorable. And you'll be well equipped to train users in safer password strategies to boot.

http://www.syngress.com/catalog/?pid=3420