CyberEye

By Patrick Marshall

Blog archive
Three signs saying "No"

BlackBerry’s blacklist: 106 passwords you can't use

Research In Motion’s long-awaited new mobile OS, the BlackBerry 10, contains a blacklist of 106 verboten passwords that users will not be able to use to secure access to their devices, researchers have found.

The new OS is expected to be released Jan. 30 and is part of a major effort by RIM to regain some of the government market share it has lost in the face of growing competition from Apple and Android.

The blacklist is a small but clever feature in a device that clearly is focusing on security for its enterprise users. It features strong AES 256-bit encryption that already is FIPS 140-2 certified, it allows segregated work and personal user profiles, and the browser includes a read-only mode that strips possible executables from the display.

The forbidden passwords include the obvious — “123456” and “abcdef,” “password” and “qwerty” — as well as some less obvious — “trustno1” and “zapata.” For the tipplers there is “miller” and “molson” (RIM is Canadian, after all). Some of the residents of Pooh Corner show up, including “eeyore,” “piglet,” “poohbear” and “tigger.” There are wizards, a few obscene suggestions, and I’m ashamed to say that one of my favorite passwords also is included. (I’m not telling you which one.)

Not everyone is impressed by the feature. John Yeo, director of Trustwave SpiderLabs EMEA, in a written statement called it a token that will do little to improve security. “Instead of blacklisting a few words, a more secure option would be to enforce some basic password complexity requirement,” he wrote. “Also, consider now there is a list of 106 known unusable passwords that someone malicious needn't bother trying."

Considering the computing power that can be thrown into dictionary and brute force password attacks, I don’t think that the exclusion of 106 words from the possibilities will make much difference. And while enforcing basic password complexity is a good idea, that is a policy issue between the user and the enterprise. Baking policy requirements into the OS could create difficulties and conflicts without doing much to improve overall security.

Blacklisting passwords might not be a great idea, but it’s a good one.

Posted by William Jackson on Dec 07, 2012 at 9:39 AM


Featured

  • Cybersecurity
    CISA chief Chris Krebs disusses the future of the agency at Auburn University Aug. 22 2019

    Shared services and the future of CISA

    Chris Krebs, the head of the Cybersecurity and Infrastructure Security Agency at DHS, said that many federal agencies will be outsourcing cyber to a shared service provider in the future.

  • Telecom
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA softens line on looming EIS due date

    Think of the September deadline for agencies to award contracts under the General Services Administration's $50-billion telecommunications contract as a "yellow light," said GSA's telecom services director.

  • Defense
    Shutterstock photo id 669226093 By Gorodenkoff

    IC looks to stand up a new enterprise IT program office

    The intelligence community wants to stand up a new program executive office to help develop new IT capabilities.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.