I am facilitating a new IT policy so our Blackberry devices will require passwords. The ... Server Admins forum
Purpose of maximum password age
I am facilitating a new IT policy so our Blackberry devices will require passwords. The policy is being accepted with a little resistance, BUT there is a little resistance. One particular user is upset that we are setting a maximum password age of 90 days. And it got me to thinking...
As a general security posture, setting a maximum password age in other environments (Windows, et al) is done under the assumption that someone could obtain or intercept an encrypted password stream or cache. If passwords are strong enough, it then may take them x days to crack the password(s). Setting a maximum password age reduces the exposure in the hope that password(s) have expired by the time they are cracked.
I don't have much experience with Blackberrys, BESs, cradles, backups, etc. I'd like to know if maximum BB password age reduces some security exposure. Some questions that come to my mind are,
There may be other or more relevant questions. I'm willing to change my stance on maximum password age, but either way, I obviously need a more concrete foundation for my stance. I will appreciate any insights you can provide.
- Would a compromised Blackberry device password useful or useless in the hands of someone who actually does not have the device?
- I was listening to a forensics podcast this morning where they talked about imaging and/or backing up the contents of a Blackberry. Say someone had physical access to a password-protected Blackberry device for a short period of time and returned it unnoticed. Can they copy or backup its contents without knowing the password? If so, could they crack the password, and would it be of use to them?
- I also implemented, "no password the same as previous x passwords." Are these passwords (or hashes thereof) stored on the device or on the BES? If on the BES, then I would think it would be especially important to protect them there.
Hi xinger, welcome to Pinstacks
Yes in my opinion it's still useful as long as the device is still available or the password is still valid.
Example: I get the password today and later plan a way to obtain the device long enough to enter the password and see what data i would want.
Without knowing much about the podcast? I'm gonna guess since the word Forensic was used you are meaning bit by bit copy of the data off the device. Yes that can be done. The password protected areas are visible all tho not without work.
I don't know BES so i must allow for another Stacker to jump in on this one. I think the pw's are kept server side for authentication
edit* I'm editing b/c additional things come to mind and this is such a great series of concerns.
Consider getting to know how the Kill feature works on BB devices using BES. This can really be a helpful feature when a BB is lost or stolen and the data is sensitive.
Last edited by srl7741; 12-26-2006 at 12:54 PM.
xinger, Welcome to PinStack.
It is the same as with all your other Password requirements. You should always have a limit on the Password Age. It just makes sense. I know it is a hassle for the user, but it ensures that they update their passwords periodically. I would set the limit to the same as the majority of your other password ageing settings.
Let us know if there is anything else we can do to help with this problem or your BB.
That's a helpful example! I had not thought of the learn-password-by-observation angle. That's always a threat.
Originally Posted by srl7741
Tags for this Thread