[udontknowjack]

Content protections slows down the device.

Here is my take on passwords and BB. With a Blackberry, you carry your complete contact list and emails with you where ever you go. We seem to think it is a requirement to password our PCs that sit at our desks or laptops that aren't as portable as a BB but for some reason, people don't want passwords on a Blackberry. I've been with two companies now and niether want to password the Blackberry because it is "inconvenient". With more security comes inconvenience folks. I just don't get it. We walk out the door of our company with valuable information in small device that can be lost or stolen but don't want to protect it with a simple password. AND if it is lost, it is entirely possible that the person won't realize it is lost right away giving a person time to get the data they want before a kill command can be sent. At least with a password, it is a deterent and after 10 attempts the devices is wiped anyway.

[JRV]

Good news: CEO is reconsidering after I gave him the URL to this thread.

His counter-proposal stands at 4 characters, no quality rules, 60 minute timeout. What do you think? (I think at least 6, complexity, 5 minutes.) This adds 3 keystrokes per logon, which I estimate would equate to 30-minute lost opportunity cost per day for the entire organization. But the cost of not doing it could easily exceed that, making it a bargain.

Thanks for your replies, and keep posting; we're still negotiating, and he has the URL now so he may be lurking. (Hi, CEO, if you're out there...create an account and post in this thread if you dare! )

I'll let y'all know what the final outcome is. Thanks!

[elgauchogrub]

People here complained about passwords until one of them lost their blackberry (didn't tell us for a couple days) and who ever found it deleted most of their calendar and email.

[elgauchogrub]

If you go for the 4 character/non-complex password, lower "Maximum Password attempts" from the default 10? down to 5.

[PhilMax]

Quote:

Originally Posted by elgauchogrub

If you go for the 4 character/non-complex password, lower "Maximum Password attempts" from the default 10? down to 5.

I would think that reasonable.

[DoomBringer]

4 is ok. Like I said, there isn't a way to brute force a BB, far as I know. A 4 letter password would take mere seconds to crack via bruteforce on a PC...
Just keep the attempts low. In order to brute force the password, you'd have to guess 26^4 passwords. Of course, if anyone uses "pass" as a password, they deserve to be shot. That is part of any hacker's dictionary attack.

[corey@12mile]

DoomBringer... hook your BB into a machine with Desktop Manager, it prompts you for your password from the handheld. This is about the only way to brute force it. Unless you can do a complete backup of a handheld, then change the password, then compare the 2 backups using UltraCompare or soemthing and see if there is a way to crack the encrypted password...

There are lots of implementations of RSA out there, I'm sure with the horsepower of today's machines it wouldn't take too too long to break a password...

cd.

ps. the compare thing would pretty much tell you where in the backup/dump the password resides, you could then take a backup of a comprimised handheld, know where the password is (memory location) and brute force that on larger hardware.

cd.

[JRV]

"as far as I know"

Famous last words, DoomBringer! You're a BB developer, and more informed about BB's API than I will ever be, so you have perspective that most of us, including me, lack.

But for the record, 26^4 is only the number of attempts it would take if the previous (26^4)-1 attempts, and the dictionary attack that preceded the brute-force attack, didn't succeed.

But from my perspective as a system admin (and a dev myself, a few years back, tho' not BBs, certainly, and before security became as big an issue as it is now) I believe that any reasonably useful product can be hacked if enough effort is put into it. And here's a ripe target: A powerful device containing confidential info that can be managed by BES, Desktop Redirector, 3rd parties using APIs (some, undoubtedly, undocumented but reverse-engineerable), BlackBerry Web Client, AND has a public IP address. Hmmmm...

I don't think anything is invulnerable, least of all BBs. More reasonable, in my opinion, is to say that it hasn't been done.

Companies that didn't take viruses seriously were hammered by Melissa, LoveLetter and Magistr. Home users and a few clueless SOHO's are to this day. Shouldn't my client, using 4-character, non-complex passwords, expect to be among the first exploited BB sites?

Not picking on you, DoomBringer, I appreciate your contributions...but I think this is a valuable discussion for BB admins to have.

And (an aside not addressed specifically to DoomBringer) the more I think about this, the more ludicrous it seems...that users of a device with a keyboard and designed around e-mail get so worked up over having to enter 3 or 4 additional keystrokes a few times a day!

[DoomBringer]

Quote:

Originally Posted by JRV

"as far as I know"

Famous last words, DoomBringer! You're a BB developer, and more informed about BB's API than I will ever be, so you have perspective that most of us, including me, lack.

But for the record, 26^4 is only the number of attempts it would take if the previous (26^4)-1 attempts, and the dictionary attack that preceded the brute-force attack, didn't succeed.

But from my perspective as a system admin (and a dev myself, a few years back, tho' not BBs, certainly, and before security became as big an issue as it is now) I believe that any reasonably useful product can be hacked if enough effort is put into it. And here's a ripe target: A powerful device containing confidential info that can be managed by BES, Desktop Redirector, 3rd parties using APIs (some, undoubtedly, undocumented but reverse-engineerable), BlackBerry Web Client, AND has a public IP address. Hmmmm...

I don't think anything is invulnerable, least of all BBs. More reasonable, in my opinion, is to say that it hasn't been done.

Companies that didn't take viruses seriously were hammered by Melissa, LoveLetter and Magistr. Home users and a few clueless SOHO's are to this day. Shouldn't my client, using 4-character, non-complex passwords, expect to be among the first exploited BB sites?

Not picking on you, DoomBringer, I appreciate your contributions...but I think this is a valuable discussion for BB admins to have.

And (an aside not addressed specifically to DoomBringer) the more I think about this, the more ludicrous it seems...that users of a device with a keyboard and designed around e-mail get so worked up over having to enter 3 or 4 additional keystrokes a few times a day!

I hadn't thought of the desktop manager. Well, then there is a way to do it. Of course, that is why you add the 30 min timeout after 5 failed attempts. That prevents the brute force attack from working.
Legend has it that the NSA tried cracking into a BB. They failed. Of course, they might not have done it the right way or whatever...
Yes, you are correct about the brute force number. 26^4 is the maximum number of tries for the brute force. On average, given purely random distribution of passwords, the dictionary attack will take 26^4/2 attempts. If the attack was to include numbers, then it could go up to 36^4/2.

Ultimately though, I feel that as long as a BB _has_ a password, it is far, far better than having none at all. 4 characters is far too short for a PC, due to the computational power of modern PCs. For a BB, 4 might be ok, if you pair it with the timeout. Any kind of timeout will prevent brute forcing from working in a timely manner.

[corey@12mile]

I'm kind of intrigued by the thought of taking a backup of a handheld, comparing to the backup of the same handheld, but with the password changed, and trying to figure out where in the dump the password is stored... anyone interested in a trying out a proof of concept attack on a blackberry?

cd.

[JRV]

I completely agree...ANY password is better than none, esp. in conjunction with a lockout.

But a dictionary attack that puts the most frequently used "dumb" passwords first will succeed in many fewer attempts than 26^4/2.

Investing 3 or 4 extra keytrokes in a strong password is cheap insurance, and silly for them to fuss over. It's an emotional objection, not a rational one.

Regarding the "X-minute timeout after Y failed attempts" policy, does that actually exist?

The handheld is wiped after X failed attempts if the "Set Maximum Password Attempts" policy is enabled. I like that even better; no data is lost but it isn't available to be compromised if somebody tries to get it. But I don't think there's a 30-minute lockout policy available, is there?

[JRV]

Corey, I don't have the expertise to participate, but you could be on to something.

[corey@12mile]

Maybe I will have a quick look at it this weekend... If I do decide to start something, I will run a thread here to document the whole process...

cd.

[JRV]

I'd be real interested in what you find. And if you don't find a way to hack a BB, someone will sometime, once there are enough users to make it interesting to enough people.

By the way, if anyone cares, this thread has passed a milestone.

It is now the 2nd of 2 threads in "BES Admin Corner" to have a "hot" icon (sort the thread list by "Replies").

And at this writing, there's still just one, lonely, anonymous vote...and no posts...advocating that "Passwords should be...optional". The original IT Policy is still in force at the client. Still being considered. Will probably still lose, but not as badly.

[corey@12mile]

I voted that passwords should be optional... I think if people are stupid enough to lose their handheld, they should have been more careful... For my company, there really isn't any type of confidential data on the handhelds... Some of my users have passwords, others don't. They have all been told what not using a password could lead to, some are ok with it, some aren't... Either way I can wipe a handheld within minutes of being told, I have backups on my server so I am not too worried.

cd.

[JRV]

If it's your company, you can deal with the employee however you want. But...

Say the employee was in HR, and the handheld had salary info on it that enabled a raid by a competitor that took several of your key employees...YOU should have been more careful.

If the employee was in bidding (maybe I'm remembering someone else, but I recall you posted somewhere that you work for a contractor...this client of mine is a contractor too, and I'm an ex-architect, so I know how your business works), and the information on the BB was sold to a competitor who underbid you by 1%...YOU should have been more careful.

If the employee was in marketing, and your most important leads were sold to your competitor...YOU should have been more careful.

Need I go on? And none of this takes anything more than a few minutes to happen if an opportunist stumbles on a BB.

Sometimes, accidents happen. And even the most competent, productive, capable, valued employees lose a PDA. My client, the owner, has lost several in the last year.

Under those circumstances, if I owned the company for which you are a BES admin, and discovered that YOU had decided BB passwords were optional...or didn't voice any objections when I decided passwords should be optional...and any of this, or anything like this happened...if I had anything on the ball at all, I'd conclude that I had screwed up and needed to be more careful.

The valued employee would get a new PDA and asked to be more careful.

But Corey...you'd be gone.

[corey@12mile]

Absolutely... except for one thing... none of our confidential data is stored on the handheld... no HR info is ever on a blackberry, it's contained within a seperate system. Our estimates are contained within the same system. This system is accessible from the handheld, but only very limited portions which require additional authentication.

What you will notice is that I said "for my company" which means the company I work for... We had several meetings about the blackberries, and I did bring up the password issue, but the owners response was... Let's keep anything off the handheld that we can't afford to lose... pretty straight forward.

Now... let's say someone did manage to comprimise a blackberry... if they got one of yours, with confidential data stored on it, and one of mine with no confidential data stored on it... who would still have a job?

Remeber I did say there was no confidential info stored on any of my handhelds... nor is there any contact info stored, except for saved email headers... Our entire address book is stashed in public folders and lookups are done when needed. But then again, where I live and work, everybody knows everybody, so we know who our competitors are, we know who our clients are, we know who our competitors clients are... that is no secret...

So really... in the end... my job is very secure. I sleep well at night with my data security at work...

cd.

[JRV]

I saw the sentence about no confidential information, but I didn't honestly believe it. None of your BB users ever sends an e-mail about hiring & firing? Salaries? Performance reviews? Marketing? Bidding? Nothing too valuable to lose? Or do you just disable e-mail and contacts?

BlackBerries would be absolutely useless to my client without confidential info. Many field personnel, for example, don't have computers so this is their only access to e-mail.

I think we can probably agree that most users won't have such sanitized BlackBerrys. These users certainly won't. An optional password is nuts unless you can guarantee that they are now and forever squeaky-clean.

[JRV]

Quote:

Originally Posted by corey@12mile

Our entire address book is stashed in public folders and lookups are done when needed.

There's another one I don't quite believe...BlackBerry lookups in Public Folders? Exchange Public folders?? That's a holy grail for a lotta BES folks on this board...how are you managing that?

[jibi]

What has already been said, most likely (from skimming through, it has sort of been), but Brute Force would not be an option on BlackBerry unless the person is using a one letter password or a VERY common word (as in top of the dictionary). They would have to get VERY lucky in order to have BF work (via DM) - I would say they had better chances at winning the lottery, to be honest. Their chances at guessing lessens with each letter you add to the required length. For 4-5 letter passwords, a full base-level BF can be run in about 10-18 hours (give or take, depending on the hardware). With 10 attempts at breaking the password, you can see why BF would not be considered a valid method of breaking the password on a secured handheld.

Just my opinion.