Why BlackBerry's Password Blacklist Won't Stop Hackers
CREDIT: Pizue/WarX/Creative Commons, image composite by TechNewsDaily
George Carlin famously listed seven dirty words you couldn't say on TV. Now BlackBerry maker Research In Motion has 106 words that you can't use as passwords.
Earlier this fall, a developer noted on the Rapidberry.net blog that the latest BlackBerry smartphone operating system, which hits the market as BlackBerry OS10 in January, doesn't let users pick those passwords for the BlackBerry ID system.
BlackBerry IDs are similar to Apple IDs. They're used to get into BlackBerry App World and other BlackBerry consumer-related services. (Users of corporate-issued BlackBerrys are subject to rules set by their employers.)
Some of the verboten passwords are pretty obvious, such as "123456." Some are offensive, like "f***me." But others are head-scratchers; for example, "sunshine" and "maggie" are both on the forbidden list.
Tim Segato, senior product manager at Research In Motion, said the words were chosen to keep people from picking passwords that are too easy to crack.
"One element of BlackBerry’s overall security solution is to limit commonly used passwords on BlackBerry ID," Segato said.
Segato also noted that the choices of words were driven by research that shows which words tend to be used as passwords most frequently.
Good passwords and bad
The data RIM used isn't public, but there have been similar studies before, mostly in the hacker and security-research communities.
Because RIM wouldn't discuss its methodology, it's hard to say how common the forbidden password "ncc1701" — the registration number of the Starship Enterprise in the original "Star Trek" series — is compared to "master" or "bandit," two other words on the BlackBerry blacklist.
Research In Motion's thinking isn't unlike the requirements on some computer systems and websites that force you to include numbers, symbols or capital letters in your password.
But outlawing passwords may not accomplish much, said Mustaque Ahamad, a professor in the college of computing at Georgia Tech.
That's largely because, Ahamad said, hackers have enough computing power to "brute force"— try every single possible combination — passwords of eight or fewer characters.
Power in numbers
A seven-letter password entirely comprised of lower-case letters has 26 to the seventh power, or 8,031,810,176, possible combinations. An eight-letter password increases that number to 26 to the eighth power, or more than 208 billion. That's a lot, but not out of reach of commercially available computers.
Adding the digits 0-9, all 26 uppercase letters and a couple of dozen punctuation marks will greatly increase the possibilities. For example, eight characters based on a set of 80 possible characters yields 1.68 quadrillion possibilities, well beyond the means of all but the mightiest supercomputers.
"Computer and security researchers characterize difficulty of guessing passwords by what is called 'password entropy,' which captures theamount of work someone will need to do to guess the password," Ahamad said.
The best way for a user to protect himself against brute-force attacks is to increase the length of his passwords to 12 or 16 characters, to mix in uppercase letters, numbers and punctuation marks and to make the password truly random. It doesn't make brute-force attacks impossible — just unfeasible.
However, the vast majority of computer users are not going to select a random grouping of characters. They're going to use a name or a word as their password, which makes the hacker's job much easier.
All good password crackers have a list of hundreds of thousands of real words and names. Those will be the first combinations tried on a password — a "dictionary" attack. Research In Motion's elimination of 106 words from the list might slow the process down, but not by very much.
Sorry, Christopher Robin
If nothing else, Research In Motion's blacklist shows that those references to fantasy, cartoons and children's tales that you thought were so clever are actually poor choices as passwords.
"Gandalf" makes an appearance on the list, which shows it is likely pretty common, as does "dorothy." Winnie the Pooh references — “eeyore," "piglet," “poohbear” and "tigger" — are surprisingly prevalent. So are cartoon and comic-book characters : "barney," "batman," "butthead," "calvin," "donald," "mickey" and "snoopy."
About the only way to really stump a serious password cracker is to use an obscure language.A typical password-strength-testing program will give low marks to "Jennifer," a common name in English-speaking countries.
But if you know an uncommonly spoken language such as Hungarian, you can use words like "foglalkozas," (occupation) which won't show up in most dictionary lists. Native American or Asian languages are even better, as long as the words are long enough.
Lately, many security researchers have suggested passphrases, basically whole sentences strung together, instead of passwords. They are long enough that they will stop most brute-force attacks and memorable enough to, well, remember.
So why would RIM create a blacklist of forbidden BlackBerry passwords?
It wasn't to defeat a brute-force attack, but instead to prevent humans from correctly guessing your BlackBerry ID password using nothing but their brains.
"Eliminating 106 unbelievably, eye-rollingly, overwhelmingly used weak passwords fights password-guessing schemes," said Kurt Baumgartner, senior security researcher at Kaspersky Lab.
"When someone's mobile device is lost, chances are pretty good that just anyone can guess the password of at least one of the accounts with ‘password,’ ‘123456,’ or some variant," Baumgartner said.
"Unfortunately, if you don't pair that list with a reasonable minimum-length or complexity requirement, you aren't really strengthening much."