Top 5 Stories


Goodbye, 123456: Blackberry bans weak passwords

07 December 2012

Blackberry has always had a reputation for taking particular care when it comes to security. Its enterprise-server-based deployment configuration was one of the reasons the Blackberry soared to such a high penetration rate in North America, pre-iPhone. Now, Blackberry-maker Research in Motion is tackling the consumer side of things, banning 106 passwords from being used with its devices because they are too weak.

Among the list, published in full on the Rapidberry blog, are no-brainers like '123456', 'Blackberry' and the ever-popular 'password', but also Canada and Molson, Poohbear and Tigger, and names like Natasha and Patrick.

The ban extends to Blackberry IDs only, and does not affect what users are relying on to secure the devices themselves. Blackberry IDs are used to log into apps and services or restricted areas on the Website.

“BlackBerry continually looks to help its customers protect their confidential information," Tim Segato, senior product manager for BlackBerry security at RIM, told the Huffington Post. "One element of BlackBerry’s overall security solution is to limit commonly used passwords on BlackBerry ID."

Passwords continue to be a fertile field for debate when it comes to best practices. Conventional wisdom says that changing them every 90 days is a good first step. Others, like Andrew Jaquith, CTO of Perimeter E-Security and former Forrester analyst on password security, disagrees.

“Requiring employees to change their passwords every 90 days just annoys them, and they will do highly insecure things to cope as a result,” he told Infosecurity last month. “They will scribble passwords on sticky notes, re-use the same password everywhere or make the absolute smallest changes to their passwords that they can while still complying with policy.”

Some, like government agencies, fall back on hash algorithms, which convert various length plaintexts into standard length scrambles in a manner that cannot mathematically be reversed. But even this technique can be compromised: As Infosecurity reported, the widely used SHA1 hash is no longer considered to be strong.

One-click password management, digital federated identities and other authentication schemes aimed at taking the memory and guesswork out of the equation are increasingly being floated as ideas to remedy the problem, but more often than not, companies are falling back on the users themselves to choose passwords that can’t be easily guessed.

Blackberry is not alone in its move: Gmail and Hotmail both banned weak passwords last year.

This article is featured in:
Application Security  •  Identity and Access Management  •  Industry News  •  Wireless and Mobile Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×