BlackBerry (formerly Research In Motion) is planning to utilize password blacklists in its BlackBerry 10 mobile OS, meaning users will be unable to use certain passwords that have been deemed insecure. Do you think such a model strengthens security, or is it better to stick to rules concerning minimum password complexity? Would this model be useful to apply to other password policies?
Ask the Expert!
SearchSecurity.com expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email. (All questions are anonymous.)
The BlackBerry OS 10 includes a list of passwords that cannot be used in conjunction with a BlackBerry ID; the password blacklist was discovered in a developer release. As the list is to be kept in sync with a file on a BlackBerry server, it will certainly increase in the future from the current 106 banned passwords. The list has provoked a lot of Internet comment as the makeup of the forbidden words is a little odd. The names of characters from cartoons and children's books, such as Mickey, Donald, Eeyore, Poohbear, Batman, Gandalf and Snoopy feature heavily, but some like Bilbo, Roo and Christopher Robin are not included. Monday is banned, but the six other days of the week are not.
While the list is clearly incomplete, at what point should RIM stop adding to it? According to the 2012 Trustwave Global Security report, none of those words are actually in the top 100 of the most frequently used passwords. Also, hackers have dictionary lists and enough computing power to discover passwords of eight or fewer characters by brute force.
The purpose of this blacklist isn't to defeat a brute-force attack; instead, it decreases the chance of somebody simply guessing the password of a lost or stolen device by preventing users from choosing common and easily guessed passwords. Blacklisting passwords isn't the best way of controlling password choice, but it is does help force consumers or those with BYOD devices, which are often not subject to enterprise control, to stop using the more obvious ones.
Password entropy is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. It increases dramatically when minimum length and complexity rules are enforced. For example, an eight-character password based on a set of 80 possible characters (upper and lower case letters, numbers and common punctuation symbols) give 1.68 quadrillion possibilities. It makes brute-force attacks unrealistic whereas a seven-letter password comprised of lower-case letters only has 8,031,810,176 possible combinations, which is crackable by commercially available computers.
Enterprise BlackBerry users who connect to a BlackBerry Enterprise Server (BES), rather than the consumer email module BlackBerry Internet Service, are subject to rules set by their network administrator, who can make use of this blacklist. For instance, BES 5 includes a built-in policy to require a strong password or passphrase, as well as a forbidden-passwords IT policy rule that restricts certain words from being used to connect a BlackBerry to an enterprise network. Using a password blacklist to ban commonly used passwords likeP@ssw0rd, Welcome2, or Summer12!, which comply with standard complex password rules, will certainly improve the entropy of the passwords used on your organization's network.
This was first published in May 2013