Debunking RIM's BlackBerry 10 password 'blacklist'; enterprise security still a top priority

A report emerged this week suggesting that RIM's latest mobile operating system, BlackBerry 10, will disallow certain words as passwords in order to bolster consumer and enterprise messaging security.

Read more

Tech blunders, catastrophes and epic fails of 2012

Thanksgiving is over, and we're heading into December. It's time for a look back at all the blunders, catastrophes, epic fails and major screw-ups of 2012.

Alas, it's not quite true. 

Tim Segato, RIM senior product manager for BlackBerry Security, did not go into much detail, but he did explain told ZDNet that this in fact only applies to BlackBerry ID -- the universal single sign-on service for consumer users -- rather than the enterprise version, which allows enterprise-grade messaging security.

BlackBerry ID was rolled out to the company's smartphone user base with BlackBerry 7 to make it far simpler to use one single set of username and password credentials across its services: from BlackBerry email setup to BlackBerry App World, BlackBerry Protect and so on.

He said: "BlackBerry continually looks to help its customers protect their confidential information. One element of BlackBerry’s overall security solution is to limit commonly used passwords on BlackBerry ID."

"123456", "a1b2c3", and "changeme" are just some of the obvious ones -- including the ones that mention the word "f**k" as one might expect -- thought there are some surprising ones on the list.

Passwords such as "gandalf" are disallowed, as is "monkey", "piglet" and "poohbear". (Not quite sure what RIM has against Winnie the Pooh characters, but someone had to finally say something.)

Segato explained that RIM had conducted research based on common passwords used by BlackBerry users in order to help protect them against malicious attacks by hackers or malware:

These passwords are ones that have been identified by the security research community. BlackBerry ID allows BlackBerry customers to access BlackBerry websites, apps, and services, as well as confidential and personal information, with a single sign-on. The password list is not applied for log-in to BlackBerry devices."

The 'blacklist' just means BlackBerry ID users can't use certain keywords as their password. Enterprise users are not affected by this.

If CIOs and IT folk aren't going to enforce strong passwords, it's down the smartphone and device manufacturer to give it a stab. After all, many bring-your-own-device (BYOD) employees bring in their own smartphone or tablet from home and use their kids' names as passwords... or as the case may be, their kids' favorite cartoon characters. 

However, BlackBerry enterprise users -- those hooked up to a BlackBerry Enterprise Server (BES), rather than the consumer email module, BlackBerry Internet Service (BIS) -- can still have this 'blacklist'-like policy on their domain.

For instance, BES 5 allows includes a "forbidden passwords IT policy rule" that restricts certain words from being used to hook up a BlackBerry to an enterprise network. These policies control the password that unlocks the device. For example, company names or common project names may be disallowed. It allows IT staff to restrict on a company-by-company basis.

However, BES 5 also offers in-built policies to "require password or pass phrase" or "require a strong password or pass phrase."

Specifically, BES 5 has preconfigured IT policies to allow for "basic password" security and "medium password" security. Basic password security requires a simple password to secure their BlackBerry devices, but the password ust be changed regularly. Medium password security requires a complex password to unlock their BlackBerry smartphones, and not only requires regular password changing, but the server keeps a password history to ensure the user doesn't jump back into old habits.

In fact, the list goes on, and the preconfigured IT policies (IT staff can also create custom and use-case specific policies for their employees) even includes "advanced security," that sets a password timeout to lock devices, restricts Bluetooth technology, enables strong content protection, encrypts the file system and prevents the USB port from doing -- well, anything. 

RIM's forthcoming BES 10 will also feature this (relatively) basic security feature.

RIM's BES 10 (or "Mobile Fusion" as it is currently known) also has this functionality, so it's not going anywhere any time soon. RIM would not take out this relatively standard, basic security feature just because BES 10 happens to be a major version revision of the server.

In an emailed statement, SpiderLabs EMEA director John Yeo (wrongly) asserted in reply to the initial rumors that quickly spread: "This move is just a token measure that does little to increase security and likely a lot to frustrate users. Instead of blacklisting a few words, a more secure option would be to enforce some basic password complexity requirement."

(It might have been wise to check BlackBerry's very public and easy-to-search enterprise security policies before first making a comment?)

For BlackBerry ID customers, however, one has to take into account malicious attempts to access a user's account. Ultimately this means there is a list of (now public) passwords for hackers to simply avoid trying, but the password 'blacklist' for enterprises remains just as secure and dynamic as most other mobile device management (MDM) services.

That's one myth debunked before my morning coffee.