[corey@12mile]

Our contact lists of customers are pretty much the same as all of our competitors... really... we don't email much to our customers, other than the quotes, but those come from our server... 99% of our contact with the customer is done either in person, or talking on the phone. It's not hard to believe.

And yes... we have public folders, with contacts, and we do lookups from the handheld... generally the lookups are for finding phone numbers... like wheelclick -> lookup -> abc construction -> scroll -> dial.

cd.

[JRV]

Jibi

In Admin guide, RIM recommends 8 characters, pattern check=2, 30 days max. pw age, and max. pw attempts = 10. Wonder what they know that we don't?

Corey

Regarding syncing with public folders; I now see that BES 3.6 supported it. 4.0 does not. I gather you're on 3.6 or some pre-4.0 version.

Still hard to believe no employee of your company will ever send another employee an e-mail regarding, a pending lawsuit, a customer complaint, salaries of key employee, or SOMETHING that should not be on a stolen BB. They must not use e-mail like every other business I've ever encountered does. But if you can somehow guarantee that it will never happen, then I concede...having no password is sufficient.

[jibi]

Quote:

Originally Posted by JRV

Jibi

In Admin guide, RIM recommends 8 characters, pattern check=2, 30 days max. pw age, and max. pw attempts = 10. Wonder what they know that we don't?

i would say this is a standard password policy for anything dealing with the network. with that said, i've had my hands in cracking for about 10 years now, and i honestly do not see BF being a valid attack on the handheld to break the password. thats just my opinion, though. i'm not saying it couldn't happen, but the chances of it happening are less than that of my g/f becoming born again and cutting me off from sex. oh wait, that happened last week. haha.

[JRV]

Jibi, that is a pretty standard recommendation. And a lotta people have posted reasons why BBs are both more and less vulnerable than corporate networks. Not all the points and counterpoints have been fully addressed, but it's starting to look to me like a wash.

So, the net is...corporate network + more vulnerable + less vulnerable = "standard" password policy, particularly since that's the vendor's recommendation.

And we're still talking about 4 or 5 extra keystrokes a few times a day, folks. Why is this even controversial? Again, this is not a rational objection, it's an emotional one. This is business...so rational needs to win.

If you're gonna do passwords...and most feel you should...you should go ahead and do them right because you never know what the next hack, or the next BES upgrade, or the next HH upgrade, is going to bring.

Throw in that it's always better business to be too secure than not secure enough, and RIM's recommendation starts looking pretty good.

Sorry to hear about your GF.

[DoomBringer]

Quote:

Originally Posted by JRV

Jibi, that is a pretty standard recommendation. And a lotta people have posted reasons why BBs are both more and less vulnerable than corporate networks. Not all the points and counterpoints have been fully addressed, but it's starting to look to me like a wash.

So, the net is...corporate network + more vulnerable + less vulnerable = "standard" password policy, particularly since that's the vendor's recommendation.

And we're still talking about 4 or 5 extra keystrokes a few times a day, folks. Why is this even controversial? Again, this is not a rational objection, it's an emotional one. This is business...so rational needs to win.

If you're gonna do passwords...and most feel you should...you should go ahead and do them right because you never know what the next hack, or the next BES upgrade, or the next HH upgrade, is going to bring.

Throw in that it's always better business to be too secure than not secure enough, and RIM's recommendation starts looking pretty good.

Sorry to hear about your GF.

My biggest issue here is that you balance what you're reccomending with what the customer wants... basically, if you can get them to do passwords, then you've won half the battle. Sure, they're not terribly good passwords, and you can go on the record about how the passwords are shorter than optimal, but anything to get them to have _any_ password at all. Mostly, I'd just want to avoid making my customer more upset over the issue than he already is.

[JRV]

DoomBringer, you're right, of course. And the issue is resolved as of yesterday afternoon. Customer isn't upset...I think it's been a worthwhile exercise, in fact. CEO has been given what is probably his first glimpse of security awareness. At least it's been MY first opportunity to do so, since I've never worked directly with him as I have on this project.

My company has served their company since 1998, so they know my dedication to their best interests...whether they agree with me or not!

This thread helped a LOT, by the way, so thanks to all voters & posters. Fortunately, most comments were reasonably respectful...that was the biggest gamble about giving him the URL! But it was very constructive.

The final, negotiated password policy--

4 characters
Pattern Checking = 1 (letter & number)
Maximum security timeout = 15
Maximum password tries = 10

And a brief, simple letter from me to them documenting my continued concerns.

[jdh]

I have to echo the comments that jibi and a few others have already stated though about brute-force attacks... By default, you get 10 attempts to enter the password, and then the handheld is wiped. At that point, you can basically do whatever you want with the handheld, but there won't be any data left on it, confidential or otherwise.

This applies whether you are trying to enter the password from the handheld itself, or from the desktop.

Unless you turn max password attempts OFF (which would be extremely unwise), or set it to an absurdly high number, then the chances of somebody brute-forcing a password are pretty slim unless the user is silly enough to use something extremely obvious.

Remember as well the even with maximum password attempts set, the probability of a user wiping their own handheld with a wrong password is pretty slim, as the BB will give them ample warning that this is about to happen, and when you're down to two or three attemps left, it even stops masking the password (so the user can actually see what they're typing at that point instead of just seeing a series of * characters).

So while the need for complex passwords is always a good idea (if for no other reason than to prevent people from using inane and obvious passwords), the minimum length is less of an issue.... By doing something as simple as requiring a number, you increase the number of attempts required for even an obvious password... Somebody might get "Rex", but if they have to guess "Rex0" through "Rex9", then the possibility exists that they'll hit the max password limit and the data will be gone.