BlackBerry Forums Support Community
              

Closed Thread
 
Thread Tools
Old 02-18-2008, 02:04 PM   #1
thomas708
New Member
 
Join Date: Feb 2008
Model: 8100
PIN: N/A
Carrier: T-Mobile
Posts: 13
Default How safe is the Password Keeper database?

Please Login to Remove!

I am concerned about the Password Keeper database being cracked if/when my Blackberry is lost/stolen. So I want to know what is the encryption level being utilized by the Password Keeper application. Is it equivalent to DES, 3DES, AES, etc.? Thanks.
Offline  
Old 02-18-2008, 02:04 PM   #2
Sith_Apprentice
Retired BBF Moderator
 
Sith_Apprentice's Avatar
 
Join Date: Aug 2005
Model: 9000
OS: 4.6.0.xxx
Carrier: AT&T
Posts: 10,149
Default

its the same level of protection as the device. if you password protect it, then after 10 attempts the information is wiped
Offline  
Old 02-18-2008, 02:29 PM   #3
thomas708
New Member
 
Join Date: Feb 2008
Model: 8100
PIN: N/A
Carrier: T-Mobile
Posts: 13
Default

By reading this forum and doing some Googling I already know that after 10 failed attempts the Password Keeper will wipe out the database. What I want to know is what is the relative ease/difficulty of hacking the Password Keeper database should my device gets lost or stolen. Are there any known cases of a Password Keeper database being successfully cracked?

The reason I'm asking is I'll feel safer to put more sensitive data, such as financial data, on the device if the encryption level and other protection measures are so strong that the chances of a successful hack is very very very low. This article (Blackberry Blog: Splash ID: should you store your bank, credit card and password information on a BlackBerry?) voices the same concern as I, however, not much useful information is available.

Another article talking about the same thing (http://seclists.org/basics/2007/Aug/0188.html). Again, no responses. I'm a little amazed that this type of question is being met with cold feet! Do people truly believe that a security application is more secure if how well (or not so well) it works is being obscured?

Last edited by thomas708; 02-18-2008 at 02:50 PM..
Offline  
Old 02-20-2008, 02:31 AM   #4
VirexInc
No longer Registered.
 
Join Date: Jan 2008
Model: 8130
PIN: N/A
Carrier: Verizon
Posts: 466
Default

The security offered by the BlackBerry meets the strict government confidentiality and security requirements for remote data access. They also meet the Department of Defense requirements for S/MIME(Secure/Multipurpose Internet Mail Extensions) and PKI (Public Key Infrastructure).

Using Advanced Encryption Standard (AES) or Triple Data Encryption Standard (Triple DES) encryption, email and other data remain encrypted at all points between the BlackBerry smartphone and the destination.

In a nutshell, with only 10 chances to get the password the chances of brute force attack are NANO SLIM! So basically your info is safe enough that it meets DOD requirements for secure data storage
Offline  
Old 02-20-2008, 10:02 AM   #5
6502programmer
Thumbs Must Hurt
 
Join Date: Aug 2005
Model: 9000
OS: 4.6.0.266
Carrier: AT&T Wireless
Posts: 69
Default

Quote:
Originally Posted by VirexInc View Post
In a nutshell, with only 10 chances to get the password the chances of brute force attack are NANO SLIM! So basically your info is safe enough that it meets DOD requirements for secure data storage
I will put on my CISSP hat and add ONE small caveat. If the device itself is not password protected, this isn't entirely accurate. Assuming the device is not password-protected, it would be possible to make a backup, try ten times, restore from backup, try ten more times, lather rinse and repeat.

It's good practice anyway to use a device password, reasonably short timeout, and lock on holstering. Combined with the security layered in with the ability to limit the number of password attempts in password manager down to ONE, it's quite secure.
__________________
957 => 5820 => 7280 => 7290 (UL) => 8820 (UL) => 9000 (UL/DB) => 9800
Offline  
Old 02-20-2008, 03:51 PM   #6
thomas708
New Member
 
Join Date: Feb 2008
Model: 8100
PIN: N/A
Carrier: T-Mobile
Posts: 13
Default

Thanks VirexInc and 6502programmer! That answers my question, and more.

VirexInc, can you point me to more information regarding (a) the Blackberry meeting DoD requirements for S/MIME and PKI and (b) that all data is encrypted at all points between the device and the destination? I had a hard time googling for these information. Thanks.
Offline  
Old 02-21-2008, 02:11 AM   #7
VirexInc
No longer Registered.
 
Join Date: Jan 2008
Model: 8130
PIN: N/A
Carrier: Verizon
Posts: 466
Default

Quote:
Originally Posted by thomas708 View Post
Thanks VirexInc and 6502programmer! That answers my question, and more.

VirexInc, can you point me to more information regarding (a) the Blackberry meeting DoD requirements for S/MIME and PKI and (b) that all data is encrypted at all points between the device and the destination? I had a hard time googling for these information. Thanks.
Well considering we are talking about blackberrys here why not start at the source?

BlackBerry
or
Research In Motion
Offline  
Old 02-21-2008, 09:18 AM   #8
6502programmer
Thumbs Must Hurt
 
Join Date: Aug 2005
Model: 9000
OS: 4.6.0.266
Carrier: AT&T Wireless
Posts: 69
Default

Quote:
Originally Posted by thomas708 View Post
VirexInc, can you point me to more information regarding (a) the Blackberry meeting DoD requirements for S/MIME and PKI and (b) that all data is encrypted at all points between the device and the destination? I had a hard time googling for these information. Thanks.
S/MIME is provided by an add-on, primarily meant for BES, that is licensed per device.

Regarding security, BlackBerry - BlackBerry | Wireless Handheld Devices, Software & Services from Research In Motion (RIM) will answer your questions. It uses AES or Triple DES to provide end to end security between BIS/BES and handheld. In the case of WiFi, it uses a TLS connection back to RIM to provide integrity and confidentiality of the data.
__________________
957 => 5820 => 7280 => 7290 (UL) => 8820 (UL) => 9000 (UL/DB) => 9800
Offline  
Old 02-21-2008, 07:48 PM   #9
Nextel User
BlackBerry Extraordinaire
 
Nextel User's Avatar
 
Join Date: May 2005
Model: 8220
Carrier: AT&T
Posts: 1,146
Default

wow..... i made a backup of my device (not password protected) and opened the ipd file with excel. i found data from the password keeper in there.

so no its not that secure UNLESS you password protect your device.
Offline  
Old 02-22-2008, 12:54 AM   #10
FF2
CrackBerry Addict
 
Join Date: Jan 2008
Model: 8830
PIN: N/A
Carrier: verizon
Posts: 755
Default

I'm curious what kind of data. I just peered through my backup and do not see some of the data (forum names for which I stored my ID and password) in that file. I think I did a "full" backup.
Offline  
Old 02-22-2008, 09:06 AM   #11
6502programmer
Thumbs Must Hurt
 
Join Date: Aug 2005
Model: 9000
OS: 4.6.0.266
Carrier: AT&T Wireless
Posts: 69
Default

Quote:
Originally Posted by FF2 View Post
I'm curious what kind of data. I just peered through my backup and do not see some of the data (forum names for which I stored my ID and password) in that file. I think I did a "full" backup.
I call shenanigans. I just looked too and didn't see any of the insurance or financial information I keep in my password keeper store either.

Password protecting the device is a good step. I haven't tested whether it affects backups as well, but I would recommend using content protection as well. I'm not all that bright, so I need to not enable it on the address book so I can see names on the calls that come in when the device is locked.
__________________
957 => 5820 => 7280 => 7290 (UL) => 8820 (UL) => 9000 (UL/DB) => 9800
Offline  
Old 02-23-2008, 06:46 AM   #12
VirexInc
No longer Registered.
 
Join Date: Jan 2008
Model: 8130
PIN: N/A
Carrier: Verizon
Posts: 466
Default

Ok this is something that kinda irks me about BB users. Okay so the BB is by far the best phone for security purposes and transmitting and receiving data (atleast in the civilian sector). Anyways if someone is coming on this forum talking about possible data leaks on the device and they dont have a device password or atleast content protection enabled then why the F&*# do these people get a BB in the first place? I think some users are just trying to be "cool" and impress their friends by saying they have one when in reality they dont need it or have no idea what the real uses of the device are!
Offline  
Old 05-17-2008, 06:46 PM   #13
legacyb4
Thumbs Must Hurt
 
Join Date: Apr 2008
Model: 8330
PIN: N/A
Carrier: Bell Mobility
Posts: 101
Default

I would imagine password protect AND enable content protection would be required to scramble the stored data?
__________________
Blackberry Curve 8330 @ 4.3.0.124 (3.1.0.71)
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


Agilent E8403A VXI Mainframe + E8491B, E4808A, 7x E8461B Modules with WARRANTY picture

Agilent E8403A VXI Mainframe + E8491B, E4808A, 7x E8461B Modules with WARRANTY

$3900.00



TEKTRONIX TM5006A 6 BAY MAINFRAME.  (chassis Mainframe only) picture

TEKTRONIX TM5006A 6 BAY MAINFRAME. (chassis Mainframe only)

$200.00



HP 3488A HPIB Switch / Control Unit Mainframe picture

HP 3488A HPIB Switch / Control Unit Mainframe

$24.99



Tektronix TM5003 Power Module Mainframe Chassis picture

Tektronix TM5003 Power Module Mainframe Chassis

$225.00



Agilent HP E8404A VXI Mainframe C-Size, 13 Slot 1000W w/E491B, E1472X2 UNTESTED picture

Agilent HP E8404A VXI Mainframe C-Size, 13 Slot 1000W w/E491B, E1472X2 UNTESTED

$499.99



Tektronix TLA704 mainframe, TLA 7L3, TLA 7D1 modules, GHz probes, total system picture

Tektronix TLA704 mainframe, TLA 7L3, TLA 7D1 modules, GHz probes, total system

$499.00







Copyright © 2004-2016 BlackBerryForums.com.
The names RIM © and BlackBerry © are registered Trademarks of BlackBerry Inc.