Results 1 to 4 of 4

I am facilitating a new IT policy so our Blackberry devices will require passwords. The ... Server Admins forum

  1. #1
    xinger's Avatar
    xinger no está en línea Stack level 1
    Join Date
    Dec 2006
    Posts
    4

    Question Purpose of maximum password age

    Advertisement



    I am facilitating a new IT policy so our Blackberry devices will require passwords. The policy is being accepted with a little resistance, BUT there is a little resistance. One particular user is upset that we are setting a maximum password age of 90 days. And it got me to thinking...

    As a general security posture, setting a maximum password age in other environments (Windows, et al) is done under the assumption that someone could obtain or intercept an encrypted password stream or cache. If passwords are strong enough, it then may take them x days to crack the password(s). Setting a maximum password age reduces the exposure in the hope that password(s) have expired by the time they are cracked.

    I don't have much experience with Blackberrys, BESs, cradles, backups, etc. I'd like to know if maximum BB password age reduces some security exposure. Some questions that come to my mind are,
    • Would a compromised Blackberry device password useful or useless in the hands of someone who actually does not have the device?
    • I was listening to a forensics podcast this morning where they talked about imaging and/or backing up the contents of a Blackberry. Say someone had physical access to a password-protected Blackberry device for a short period of time and returned it unnoticed. Can they copy or backup its contents without knowing the password? If so, could they crack the password, and would it be of use to them?
    • I also implemented, "no password the same as previous x passwords." Are these passwords (or hashes thereof) stored on the device or on the BES? If on the BES, then I would think it would be especially important to protect them there.
    There may be other or more relevant questions. I'm willing to change my stance on maximum password age, but either way, I obviously need a more concrete foundation for my stance. I will appreciate any insights you can provide.

  2. #2
    srl7741's Avatar
    srl7741 no está en línea Stack Professional
    Join Date
    May 2006
    PIN/ID
    Retired
    Posts
    6,359
    Hi xinger, welcome to Pinstacks

    question 1:
    Yes in my opinion it's still useful as long as the device is still available or the password is still valid.
    Example: I get the password today and later plan a way to obtain the device long enough to enter the password and see what data i would want.

    Question 2:
    Without knowing much about the podcast? I'm gonna guess since the word Forensic was used you are meaning bit by bit copy of the data off the device. Yes that can be done. The password protected areas are visible all tho not without work.

    Question 3:
    I don't know BES so i must allow for another Stacker to jump in on this one. I think the pw's are kept server side for authentication

    edit* I'm editing b/c additional things come to mind and this is such a great series of concerns.

    Consider getting to know how the Kill feature works on BB devices using BES. This can really be a helpful feature when a BB is lost or stolen and the data is sensitive.
    Last edited by srl7741; 12-26-2006 at 01:54 PM.

  3. #3
    Rcbjr's Avatar
    Rcbjr no está en línea Stack Pro
    Join Date
    May 2006
    PIN/ID
    PM - Ask
    Posts
    14,848
    xinger, Welcome to PinStack.

    It is the same as with all your other Password requirements. You should always have a limit on the Password Age. It just makes sense. I know it is a hassle for the user, but it ensures that they update their passwords periodically. I would set the limit to the same as the majority of your other password ageing settings.

    Let us know if there is anything else we can do to help with this problem or your BB.

    Rcbjr
    You Ask, We Will Answer
    Can’t Install theme via DM?No Additional Apps Found for Your Device
    Links to Usefull KB Articles

  4. #4
    xinger's Avatar
    xinger no está en línea Stack level 1
    Join Date
    Dec 2006
    Posts
    4
    Quote Originally Posted by srl7741
    Example: I get the password today and later plan a way to obtain the device long enough to enter the password and see what data i would want.
    That's a helpful example! I had not thought of the learn-password-by-observation angle. That's always a threat.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •