CyberEye

Blog archive
Three signs saying "No"

BlackBerry’s blacklist: 106 passwords you can't use

Research In Motion’s long-awaited new mobile OS, the BlackBerry 10, contains a blacklist of 106 verboten passwords that users will not be able to use to secure access to their devices, researchers have found.

The new OS is expected to be released Jan. 30 and is part of a major effort by RIM to regain some of the government market share it has lost in the face of growing competition from Apple and Android.

The blacklist is a small but clever feature in a device that clearly is focusing on security for its enterprise users. It features strong AES 256-bit encryption that already is FIPS 140-2 certified, it allows segregated work and personal user profiles, and the browser includes a read-only mode that strips possible executables from the display.

The forbidden passwords include the obvious — “123456” and “abcdef,” “password” and “qwerty” — as well as some less obvious — “trustno1” and “zapata.” For the tipplers there is “miller” and “molson” (RIM is Canadian, after all). Some of the residents of Pooh Corner show up, including “eeyore,” “piglet,” “poohbear” and “tigger.” There are wizards, a few obscene suggestions, and I’m ashamed to say that one of my favorite passwords also is included. (I’m not telling you which one.)

Not everyone is impressed by the feature. John Yeo, director of Trustwave SpiderLabs EMEA, in a written statement called it a token that will do little to improve security. “Instead of blacklisting a few words, a more secure option would be to enforce some basic password complexity requirement,” he wrote. “Also, consider now there is a list of 106 known unusable passwords that someone malicious needn't bother trying."

Considering the computing power that can be thrown into dictionary and brute force password attacks, I don’t think that the exclusion of 106 words from the possibilities will make much difference. And while enforcing basic password complexity is a good idea, that is a policy issue between the user and the enterprise. Baking policy requirements into the OS could create difficulties and conflicts without doing much to improve overall security.

Blacklisting passwords might not be a great idea, but it’s a good one.

Posted by William Jackson on Dec 07, 2012 at 9:39 AM


Featured

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.