CyberEye

By Patrick Marshall

Blog archive
Three signs saying "No"

BlackBerry’s blacklist: 106 passwords you can't use

Research In Motion’s long-awaited new mobile OS, the BlackBerry 10, contains a blacklist of 106 verboten passwords that users will not be able to use to secure access to their devices, researchers have found.

The new OS is expected to be released Jan. 30 and is part of a major effort by RIM to regain some of the government market share it has lost in the face of growing competition from Apple and Android.

The blacklist is a small but clever feature in a device that clearly is focusing on security for its enterprise users. It features strong AES 256-bit encryption that already is FIPS 140-2 certified, it allows segregated work and personal user profiles, and the browser includes a read-only mode that strips possible executables from the display.

The forbidden passwords include the obvious — “123456” and “abcdef,” “password” and “qwerty” — as well as some less obvious — “trustno1” and “zapata.” For the tipplers there is “miller” and “molson” (RIM is Canadian, after all). Some of the residents of Pooh Corner show up, including “eeyore,” “piglet,” “poohbear” and “tigger.” There are wizards, a few obscene suggestions, and I’m ashamed to say that one of my favorite passwords also is included. (I’m not telling you which one.)

Not everyone is impressed by the feature. John Yeo, director of Trustwave SpiderLabs EMEA, in a written statement called it a token that will do little to improve security. “Instead of blacklisting a few words, a more secure option would be to enforce some basic password complexity requirement,” he wrote. “Also, consider now there is a list of 106 known unusable passwords that someone malicious needn't bother trying."

Considering the computing power that can be thrown into dictionary and brute force password attacks, I don’t think that the exclusion of 106 words from the possibilities will make much difference. And while enforcing basic password complexity is a good idea, that is a policy issue between the user and the enterprise. Baking policy requirements into the OS could create difficulties and conflicts without doing much to improve overall security.

Blacklisting passwords might not be a great idea, but it’s a good one.

Posted by William Jackson on Dec 07, 2012 at 9:39 AM


Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.