CyberEye

Blog archive
Three signs saying "No"

BlackBerry’s blacklist: 106 passwords you can't use

Research In Motion’s long-awaited new mobile OS, the BlackBerry 10, contains a blacklist of 106 verboten passwords that users will not be able to use to secure access to their devices, researchers have found.

The new OS is expected to be released Jan. 30 and is part of a major effort by RIM to regain some of the government market share it has lost in the face of growing competition from Apple and Android.

The blacklist is a small but clever feature in a device that clearly is focusing on security for its enterprise users. It features strong AES 256-bit encryption that already is FIPS 140-2 certified, it allows segregated work and personal user profiles, and the browser includes a read-only mode that strips possible executables from the display.

The forbidden passwords include the obvious — “123456” and “abcdef,” “password” and “qwerty” — as well as some less obvious — “trustno1” and “zapata.” For the tipplers there is “miller” and “molson” (RIM is Canadian, after all). Some of the residents of Pooh Corner show up, including “eeyore,” “piglet,” “poohbear” and “tigger.” There are wizards, a few obscene suggestions, and I’m ashamed to say that one of my favorite passwords also is included. (I’m not telling you which one.)

Not everyone is impressed by the feature. John Yeo, director of Trustwave SpiderLabs EMEA, in a written statement called it a token that will do little to improve security. “Instead of blacklisting a few words, a more secure option would be to enforce some basic password complexity requirement,” he wrote. “Also, consider now there is a list of 106 known unusable passwords that someone malicious needn't bother trying."

Considering the computing power that can be thrown into dictionary and brute force password attacks, I don’t think that the exclusion of 106 words from the possibilities will make much difference. And while enforcing basic password complexity is a good idea, that is a policy issue between the user and the enterprise. Baking policy requirements into the OS could create difficulties and conflicts without doing much to improve overall security.

Blacklisting passwords might not be a great idea, but it’s a good one.

Posted by William Jackson on Dec 07, 2012 at 9:39 AM


Reader Comments

Thu, Dec 20, 2012 Editor

Editor's note: You can view the full list here: http://crackberry.com/106-passwords-you-wont-be-able-use-blackberry-10

Wed, Dec 19, 2012

SOooo, where's the URL for the list????

Mon, Dec 10, 2012

Actually this is a great idea if they keep the list up to date. That is, passwords that are found in online databases of hacked passwords should be blacklisted too.

Mon, Dec 10, 2012 Roger Green

OK - is it because you're still USING one of the 106 verboten passwords?

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

resources

HTML - No Current Item Deck
  • Transforming Constituent Services with Business Process Management
  • Improving Performance in Hybrid Clouds
  • Data Center Consolidation & Energy Efficiency in Federal Facilities