Related Stories

  • New and improved SHA1 cracking method for passwords published
    SHA1 is probably the most widely used password cryptographic hash function; but perhaps it shouldn’t be. The first attack faster than brute force against SHA1 was discovered in 2005, and just over two months ago NIST declared, “Federal agencies should stop using SHA-1...”
  • Twitter breach: Time for new password approaches?
    In the wake of an apparent spam-hack (since resolved), Twitter sent out emails last week to hundreds of affected accounts requiring users to reset their passwords. The mass reset action has prompted another look at password protocol for the hacking age.
  • Most Big Data implementations feature no security beyond passwords
    The Big Data revolution, spurred by technologies that allow companies to collect, manage and analyze very large data sets thanks to cluster-based computing architectures – is creating vast repositories of mission-critical information that are, in turn, creating new security concerns. Unfortunately, a new white paper finds that most enterprises are relying solely on passwords to protect their data.
  • Jesus and Ninja show up in most-hacked passwords list
    Apparently, quite a few people feel that “Jesus” can save them from online account breaches –but the popular Spanish men’s name and savior in the Christian tradition performs no miracles as a password, coming in at 21 in a list of the top 25 most-hacked passwords of 2012.
  • Flawless ID doesn’t exist, says e-commerce specialist
    Passwords are not enough to keep criminals out, Sanjay Bavisi, president of the International Council of Electronic Commerce Consultants (the EC-Council), told a session on 5 November at the CSI 2007 conference in Washington DC.

Top 5 Stories


Goodbye, 123456: Blackberry bans weak passwords

07 December 2012

Blackberry has always had a reputation for taking particular care when it comes to security. Its enterprise-server-based deployment configuration was one of the reasons the Blackberry soared to such a high penetration rate in North America, pre-iPhone. Now, Blackberry-maker Research in Motion is tackling the consumer side of things, banning 106 passwords from being used with its devices because they are too weak.

Among the list, published in full on the Rapidberry blog, are no-brainers like '123456', 'Blackberry' and the ever-popular 'password', but also Canada and Molson, Poohbear and Tigger, and names like Natasha and Patrick.

The ban extends to Blackberry IDs only, and does not affect what users are relying on to secure the devices themselves. Blackberry IDs are used to log into apps and services or restricted areas on the Website.

“BlackBerry continually looks to help its customers protect their confidential information," Tim Segato, senior product manager for BlackBerry security at RIM, told the Huffington Post. "One element of BlackBerry’s overall security solution is to limit commonly used passwords on BlackBerry ID."

Passwords continue to be a fertile field for debate when it comes to best practices. Conventional wisdom says that changing them every 90 days is a good first step. Others, like Andrew Jaquith, CTO of Perimeter E-Security and former Forrester analyst on password security, disagrees.

“Requiring employees to change their passwords every 90 days just annoys them, and they will do highly insecure things to cope as a result,” he told Infosecurity last month. “They will scribble passwords on sticky notes, re-use the same password everywhere or make the absolute smallest changes to their passwords that they can while still complying with policy.”

Some, like government agencies, fall back on hash algorithms, which convert various length plaintexts into standard length scrambles in a manner that cannot mathematically be reversed. But even this technique can be compromised: As Infosecurity reported, the widely used SHA1 hash is no longer considered to be strong.

One-click password management, digital federated identities and other authentication schemes aimed at taking the memory and guesswork out of the equation are increasingly being floated as ideas to remedy the problem, but more often than not, companies are falling back on the users themselves to choose passwords that can’t be easily guessed.

Blackberry is not alone in its move: Gmail and Hotmail both banned weak passwords last year.

This article is featured in:
Application Security  •  Identity and Access Management  •  Industry News  •  Wireless and Mobile Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×