Security Experts:

RIM to Blacklist Weak Passwords in BlackBerry 10

RIM is planning to release BlackBerry 10, the latest edition of its mobile operating system, on Jan. 30, and with that release comes an unmentioned security feature – password blocking. RIM hasn’t officially announced the protection settings, but a BlackBerry site in the U.K. discovered a list of 106 passwords that are forbidden on the new mobile OS.

BlackBerry“In building BlackBerry 10, we set out to create a truly unique mobile computing experience that constantly adapts to your needs. Our team has been working tirelessly to bring our customers innovative features combined with a best in class browser, a rich application ecosystem, and cutting-edge multimedia capabilities. All of this will be integrated into a user experience – the BlackBerry Flow – that is unlike any smartphone on the market today,” said Thorsten Heins, President and CEO of Research In Motion.

Heins’ comments were part of a statement announcing the BlackBerry 10 launch, and as you can see, security was not even mentioned. Yet, BlackBerry is still a common mobile platform in the workplace, and with the discussions around the “BYOD” issue, one can be sure that RIM has been paying attention.

Password security has always been a weakness in IT. Getting the end-users to create (and then remember) complex passphrases is impossible. Inevitably, someone somewhere will create a password of 12345, or abc123, and expose the application or account to malicious acts. Weak passwords have been blamed for several breaches in years past, yet nothing has changed. Systems still allow them, so they’re used.

RIM is attempting to change that.

According to RapidBerry in the U.K., 106 passwords are forbidden in BlackBerry 10 – and it is assumed that the list will grow. In fact, the comments in the code itself say that the list is to be kept in sync with the BlackBerry Identity Management server (BB IdM). As expected the basics are all included, such as 12345 and 12345678. There’s also changeme, abc123, abcdef, and asdfgh. However, other common dictionary-based passwords are also listed.

Enabling blacklisting for blatantly weak passwords is a good move, but hardly something that will make the devices bullet proof.

"While preventing users from choosing bad passwords such as 'password' may seem like it would increase security, this move is just a token measure that does little to increase security and likely a lot to frustrate users,” John Yeo, Director of TrustWave's SpiderLabs EMEA told SecurityWeek in an emailed statement. “Instead of blacklisting a few words, a more secure option would be to enforce some basic password complexity requirement. Also, consider now there is a list of 106 known unusable passwords that someone malicious needn't bother trying."

The list of blacklisted passwords so far is available form RapidBerry.

view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.