Darril Gibson's Get Cerified Get Ahead Sec+ Study guide
I just wanted to say I'm absolutely pleased with Darril Gibson's study guide for the Sec+ exam. This is the second book I purchased to study for the exam and I regret not researching this certification a bit more before I went ahead and purchased my study material. The book is well written and feels very well organized, the succession to the information found in each chapter feels like you're reading a story. The answer key at the end of each chapter for the 'end of chapter questions' is well detailed: First it gives the correct answer, explains why the answer is correct and then it goes on to explain how the remaining choices didn't adequately address the requirement.
Again, I'm very happy I decided to bite the bullet and buy a second book (I'm pretty cheap, I usually only buy a single study guide for any certifications I'm passing).
With the above being said, I'm now going to go ahead and take a jab @ Darril. I went ahead and subscribed to his premium content a few hours ago. I haven't gone through the premium content yet (I study for 4 days then review on the 5th.. I'm keeping this stuff for my review days) so what I find troubling isn't the content per say. It's the way his web application manages credentials for the 'Member section'. As someone who wrote a book for an ITSEC certification, the way his web application manages user accounts and their credentials leaves a lot to be desired.
1. When you signup, you don't get to pick your own password. Your password is e-mailed to you. You can change your password, but only after you login.
2. The password I received was 5 chars and only contained upper case letters. Curious how weak of a password it was? "EEETA". Yes, that was the actual password before I changed it (more on that in point#4)
3. When changing your password, you aren't allowed to use special characters. The website does allow upper case, lower case and numerals so I guess it's not the end of the world (3 out of 4 classes meets the definition of 'password complexity as per Sec+ material) but still, I always question why someone would want to prevent his end users from making their passwords as complex as they feel it needs to be. I'm not saying he should allow 256chars passwords here... I don't think being allowed to use special chars in your password is asking alot, it's pretty standard these days and in fact, I don't remember when's the last time I came across a website which didn't allow special characters for my password.
4. For the last but certainly not the least (in fact, this is the worst of them!) he stores actual passwords in his database instead of using a hash of the password. How do I know this? Very simple: After I got an e-mail with a weak password, the first thing I did was login and change my password. It turns out that the website application doesn't only send the welcome e-mail, it also sends a follow-up e-mail about half an hour later (see screenshots). Guess what? The follow-up e-mail contained the following lines:
By this time, I'm hoping you've been able to access
the premium content you purchased on the
Get Certified Get Ahead site.
As a reminder, here are the details to log in.
Please login at:
https://gcgapremium.com/log-in/
Email: <My e-mail>
Password: <My new password>
Good for me for using KeePass and using it to generate unique passwords for every site
All that to say, I'm a bit disappointed at how authentication for the user accounts on the gcgapremium.com website is handled, especially coming from someone who writes ITSEC study guides and sells ITSEC study material.
Again, I'm very happy I decided to bite the bullet and buy a second book (I'm pretty cheap, I usually only buy a single study guide for any certifications I'm passing).
With the above being said, I'm now going to go ahead and take a jab @ Darril. I went ahead and subscribed to his premium content a few hours ago. I haven't gone through the premium content yet (I study for 4 days then review on the 5th.. I'm keeping this stuff for my review days) so what I find troubling isn't the content per say. It's the way his web application manages credentials for the 'Member section'. As someone who wrote a book for an ITSEC certification, the way his web application manages user accounts and their credentials leaves a lot to be desired.
1. When you signup, you don't get to pick your own password. Your password is e-mailed to you. You can change your password, but only after you login.
2. The password I received was 5 chars and only contained upper case letters. Curious how weak of a password it was? "EEETA". Yes, that was the actual password before I changed it (more on that in point#4)
3. When changing your password, you aren't allowed to use special characters. The website does allow upper case, lower case and numerals so I guess it's not the end of the world (3 out of 4 classes meets the definition of 'password complexity as per Sec+ material) but still, I always question why someone would want to prevent his end users from making their passwords as complex as they feel it needs to be. I'm not saying he should allow 256chars passwords here... I don't think being allowed to use special chars in your password is asking alot, it's pretty standard these days and in fact, I don't remember when's the last time I came across a website which didn't allow special characters for my password.
4. For the last but certainly not the least (in fact, this is the worst of them!) he stores actual passwords in his database instead of using a hash of the password. How do I know this? Very simple: After I got an e-mail with a weak password, the first thing I did was login and change my password. It turns out that the website application doesn't only send the welcome e-mail, it also sends a follow-up e-mail about half an hour later (see screenshots). Guess what? The follow-up e-mail contained the following lines:
By this time, I'm hoping you've been able to access
the premium content you purchased on the
Get Certified Get Ahead site.
As a reminder, here are the details to log in.
Please login at:
https://gcgapremium.com/log-in/
Email: <My e-mail>
Password: <My new password>
Good for me for using KeePass and using it to generate unique passwords for every site
All that to say, I'm a bit disappointed at how authentication for the user accounts on the gcgapremium.com website is handled, especially coming from someone who writes ITSEC study guides and sells ITSEC study material.
2018 goals: Security+, CCNA CyberOps (Cohort #6), eJPT, CCNA R&S 2019 goals: RHCE ????, OSCP || CISSP