Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

Blackberry OS 10 BlackLists Batman and PoohBear

A Blackberry oriented website in the UK was the first to notice an interesting new feature in the most recent developer release of the Blackberry 10 OS. They found what looks like a list of one hundred and six blacklisted passwords. The list would prevent you from using specific words to secure your device.

At first glance this seems like a great idea. People always choose crappy passwords like 'password' or '123456' or 'aaaaaa'. By preventing these words from being used as passwords in the first place you increase your security right? Not really, and actually you probably reduce it a little bit. This list of banned words won't be a secret; anyone with access to the list can remove those words from a dictionary attack. Sure, one hundred and six words won't make a huge difference but it will make figuring out the password just a little bit faster.

One thing this banned list will do is aggravate customers who try to use one of the banned words as the password to their device. According to RapidBerry, the site that published the list, words like 'batman' and 'poohbear' are on the banned list, as well as 'baseball', 'sunshine' and even 'blackberry'. None of those words are even in in the top 100 of the most frequent passwords people use according to the 2012 Trustwave Global Security report. Since these aren't very common words they won't impact many people but why bann them and take the risk of upsetting any customers? If you were going to create a blacklist of words not to be used as passwords you would think that the list would include the most popular passwords like 'Password2', 'P@ssw0rd', 'Welcome2', 'Winter10', or ' Summer11' all of which are in Trustwave's top twenty five found passwords but none of which are in Blackberries blacklist.

To be fair Trustwave's list includes complex passwords or passwords that require uppercase letters, numbers and possibly punctuation. Last years list of common passwords was generated from cracked lists of hundreds of thousands of passwords. (We will have a new list this years in the 2013 GSR made from even more cracked passwords) Cracking passwords with a brute force attack is not difficult, and with a dictionary attack it is even easier. In the case of a mobile device like a Blackberry the most difficult part is actually getting to the password, either by removing the password file from the device or by access the password in some other way so that you can apply your cracking software to it. Cracking the password itself is usually a fairly simple matter.

So why is RIM bothering to have a password blacklist? It will not improve security and may in fact weaken it a little bit. It will frustrate and upset some customers. If this is about security a better idea would be to force a complex password scheme requiring uppercase letters, numbers and punctuation and a minimum character length. So far this is only in a developer release of Blackberry OS 10, hopefully this feature is only present for testing or some other pre-release reason and will be improved or removed before final release.