BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 10-12-2006, 06:51 PM   #1 (permalink)
CrackBerry Addict
 
qc_metal's Avatar
 
Join Date: Mar 2005
Location: Rockford, IL
Model: 9530
OS: 4.7.x
Carrier: Verizon
Posts: 590
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default Password policy: What's your timeout?

Please Login to Remove!

Ok, so I implemented a password policy for our ~320 users today. The policy was approved by our director, and I listed various reasons why they should have their BlackBerrys locked.

Of course, now I have a bunch of backlash complaining that the time (10 minutes) is not nearly enough idle time before the lock occurs.

My policy is very simple (at this point), requires a 4-digit password, no password history, 10 minute timeout, users can specify a time lower than that if necessary.

What does everyone else use as a timeout? Are there any industry reports on what kind of havoc can be wreaked upon a company if a BlackBerry gets stolen?

The basic gist of my email stated that the current risks without having a BES-enabled BlackBerry locked down with a password:

A person who has posession of your BlackBerry can:
  • View, delete, and reply to corporate email AS YOU.
  • View, create, delete, change, Calendar, Contacts, Memos, and Tasks in your corporate mailbox.
  • Above changes/deletes, etc. synchronize DIRECTLY with your mailbox.
  • Access corporate Intranet and all resources immediately available to the BlackBerry browser.
  • Access any data, personal or otherwise, that may be stored on your BlackBerry.

Our corporate workstation screen saver lock policy is 15 minutes, so me, I'm willing to go no more than that since I view the BlackBerry as a similar risk as a Laptop being stolen.

Frankly, I'm getting a bit upset, as I view a lot of this backlash as whining because users are being "inconvenienced" for the sake of protecting our corporate data.

Now, after the execs have made some noise, our director is saying "what about a 60 minute timeout?" - - *the sound you hear is me banging my head against the desk*.

So, if anyone has any Gartner or other industry stats that could help back me up here, I would be very appreciative.

...or am I being too security-conscience (I'm guessing that I'm not)...?

Regards,
Rob
__________________
Provision, maintain, and report on users via web: the NEW BerryStats | FAQ
Offline  
Old 10-12-2006, 07:27 PM   #2 (permalink)
Thumbs Must Hurt
 
rliebsch's Avatar
 
Join Date: Apr 2005
Location: SF
Model: 8100
Carrier: TMO
Posts: 138
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default interesting

I hadn't really thought about it. It is a huge vulerability, especially if mine were lost. SSH/Telnet, VNC, not to mention the core functionality...

Worst to admit, I instantly jumped up and said, yes! Passwords on the handheld...

Then i realized, oh, no locked handheld after 2 minutes. What a pain in the arse.

I am certain my users would freak out.

But it is an excellent point. I mean, the last two handhelds that were lost, were not reported to me until nearly 2 weeks after they had been lost...

sceeery
__________________
Robert Liebsch
Systems Psychologist, Network Sociologist, User Therapist.
Offline  
Old 10-12-2006, 07:34 PM   #3 (permalink)
BlackBerry God
 
jibi's Avatar
 
Join Date: Oct 2004
Location: Jibi's Secret Place
Model: 8900
OS: 4.6.1.174
Carrier: AT&T
Posts: 11,310
Post Thanks: 0
Thanked 1 Time in 1 Post
Default

As of now, we've disabled MDS and have a 30 minute idle timeout policy and 60 minute mandatory timeout. In the desktop world, timeout is 10-15 minutes. Password are also initially mandatory but optional.

...I agree with you, sacrifices made in direct objection to corporate security policies is, without a doubt, quite upsetting. But at the end of the day, you aren't the one signing your own check, right?

In all honesty, your best defense against these sacrifices would be end-user education... but then again, you'll always have those that simply will never 'get it'. In the event of stolen/lost equipment, you may want to make sure that it's policy and procedure to make a call directly to someone who can access the BES user accounts... of course, that is one of those semi-enforceable procedures that will often be ignored and very hard to audit.
__________________
In the beginning the Universe was created. This has made a lot of people very angry and is widely regarded as a bad move.
Offline  
Old 10-12-2006, 08:04 PM   #4 (permalink)
Retired BlackBerryForums.com Moderator
 
d_fisher's Avatar
 
Join Date: Oct 2005
Location: Columbus, OH
Model: 9700
OS: SID 6.7
Carrier: AT&T
Posts: 4,455
Post Thanks: 0
Thanked 2 Times in 1 Post
Default

We have a 60 minute timeout, 4 character password, no history, no complexity requirments. Passwords are manditory.
__________________
Doug

Remember, please try searching first!

Need a screenshot? ... Like JavaLoader?
Try using BBscreen .....Use JL_Cmder!
or BBScreenShooter!

[SIGPIC][/SIGPIC]
Offline  
Old 10-12-2006, 08:12 PM   #5 (permalink)
Thumbs Must Hurt
 
jwcanada's Avatar
 
Join Date: Feb 2005
Location: Saint Louis
Model: 8830
Carrier: Sprint
Posts: 130
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

We use a 30 min timeout with a 6 character with no complexity required. We also put the "Owner" message when the device is locked to show the users name, company name, and a msg saying if found please contact our 800 number for our helpdesk. I thought there was no way in hell we would ever get an honest person to call. But funny thing in 3 yrs we have had 5 devices lost that the person that found it called our helpdesk. But when if comes to password policy you have to consider your business. You have to think that financial firms would have a much more strict policy than your avg company. So I don't think there is any wrong answer on the timeout of the password policy....as long as you enforce it.
__________________
~~Dazed and Confused~~
Offline  
Old 10-12-2006, 08:37 PM   #6 (permalink)
BlackBerry Extraordinaire
 
Milkman's Avatar
 
Join Date: Aug 2005
Location: Tampa Bay, Florida
Model: 9630
Carrier: Sprint
Posts: 1,087
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by qc_metal
Now, after the execs have made some noise, our director is saying "what about a 60 minute timeout?" - - *the sound you hear is me banging my head against the desk*.
I would suggest that if you haven't already, you provide the security exposures (as listed above) to your director. Make sure that he/she actually knows what can happen if a Blackberry is stolen, and at that point let him/her make the call.
__________________
Gator fan for LIFE!!!
UNBEATEN on Bobby Bowden Field
Offline  
Old 10-12-2006, 09:07 PM   #7 (permalink)
Thumbs Must Hurt
 
bremere's Avatar
 
Join Date: Mar 2006
Model: 8230
PIN: ky and the Brain
Carrier: Verizon Wireless
Posts: 157
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

We have idle pwd at 10 minutes or so, 5 pwd history, complex pwd alphanum, however the user can change the timeout length at their leisure, up to 30 min, and we have allowed user to remove the "lock on holster" restriction

just my .02

-emb
__________________
My New Bumper Sticker
"My Blackberry is smarter than your Honor Student"
Offline  
Old 10-13-2006, 01:29 AM   #8 (permalink)
BlackBerry God
 
jibi's Avatar
 
Join Date: Oct 2004
Location: Jibi's Secret Place
Model: 8900
OS: 4.6.1.174
Carrier: AT&T
Posts: 11,310
Post Thanks: 0
Thanked 1 Time in 1 Post
Default

Quote:
Originally Posted by Milkman
I would suggest that if you haven't already, you provide the security exposures (as listed above) to your director. Make sure that he/she actually knows what can happen if a Blackberry is stolen, and at that point let him/her make the call.
Just another note, GET IT IN WRITING from the Director (or whomever the manager making the decision). This will CYOA/CYOB if you have evidence of the decision, in the event that data is lost/stolen and somehow hurts your bottom dollar. This is the purpose of our initial mandatory password requirement; the users are made aware of the risks, and if they choose to remove the password for convenience purposes, then it's on them.
__________________
In the beginning the Universe was created. This has made a lot of people very angry and is widely regarded as a bad move.
Offline  
Old 10-13-2006, 05:54 AM   #9 (permalink)
Thumbs Must Hurt
 
Join Date: Mar 2006
Model: 8800c
Carrier: Cingular
Posts: 112
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

I'm pushing for a 20 minute timeout as a hopeful best compromise between security needs and the usability issue, coupled with the lock when holstered option. I'm also trying to get a hard-coded policy in writing about reporting lost or stolen Blackberries ASAP for remote-initiated locks or wipes.

I agree 100% with you about the security need and empathize with the headaches caused by getting this past the user population.

Being a user myself, I'll take the inconvenience of having to type a simple password every 20 minutes vs. the considerably larger inconvenience of having proprietary company information exposed to a thief.

I think Jibi has posted a great idea of getting any denials in writing. That kind of accountability, especially with an executive, might be enough to bring reason to the forefront of this issue, and like Jibi said, it's a great CYA at bare minimum.
Offline  
Old 10-13-2006, 07:21 AM   #10 (permalink)
Retired BlackBerryForums.com Moderator
 
d_fisher's Avatar
 
Join Date: Oct 2005
Location: Columbus, OH
Model: 9700
OS: SID 6.7
Carrier: AT&T
Posts: 4,455
Post Thanks: 0
Thanked 2 Times in 1 Post
Default

Quote:
Originally Posted by edonin
I'm pushing for a 20 minute timeout as a hopeful best compromise between security needs and the usability issue, coupled with the lock when holstered option.
I think the lock when holstered is worse than even a 2 minute timeout. I always keep my BlackBerry in the holster. Can't tell you how many times I have holstered the BlackBerry only to have it go off. Because I work in a support role, I have to look. So now I need to unlock the BlackBerry again after just 10 seconds of inactivity.
__________________
Doug

Remember, please try searching first!

Need a screenshot? ... Like JavaLoader?
Try using BBscreen .....Use JL_Cmder!
or BBScreenShooter!

[SIGPIC][/SIGPIC]
Offline  
Old 10-13-2006, 07:54 AM   #11 (permalink)
Talking BlackBerry Encyclopedia
 
SimonMac's Avatar
 
Join Date: Feb 2006
Location: Leeds, UK
Model: :(
PIN: Absent :(
Carrier: None :(
Posts: 451
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

5 mins and a 6 letter password we also enforce lock on holstering
__________________
No longer have 15 Domino 6.5 Servers
No longer have 6 BES 4.1.3 Servers
No longer have 2613 Users
But still have the 1 Constant Headache?!?!

Offline  
Old 10-13-2006, 09:20 AM   #12 (permalink)
Thumbs Must Hurt
 
Join Date: Mar 2006
Model: 8800c
Carrier: Cingular
Posts: 112
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

I'm on the support side myself, and sure don't disagree that it can be annoying to type a short password everytime the bloody thing buzzes, but if you've ever seen a really good pickpocket at work, you know how easy it is for someone to nick even a holstered device. Again, IMHO, better for me to type the 2 second password, than to risk company data and server access (especially if a user has a Mobile Admin app onboard).

At least I can answer the phone while it's locked, which is the only time-critical function that a hostered lock could possibly impair.

However, I will concede that your daily video sig file, once again mightily rules! Very cool!
Offline  
Old 10-13-2006, 11:58 AM   #13 (permalink)
Thumbs Must Hurt
 
Join Date: Sep 2005
Model: 8703e
Carrier: Verizon
Posts: 59
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by SimonMac
5 mins and a 6 letter password we also enforce lock on holstering
Glad I'm not one of your BES users. I would hate to have to enter my password every 5 mnutes. We have ours set to 60min
Offline  
Old 10-13-2006, 12:09 PM   #14 (permalink)
CrackBerry Addict
 
Andi's Avatar
 
Join Date: May 2005
Location: Chicago
Model: 9700
OS: 6.0.0.448
Carrier: T-Mobile
Posts: 549
Post Thanks: 0
Thanked 4 Times in 4 Posts
Default

20 minutes time out (and they cry about that!) 5 to 14 character password - no forced lock on holstering -- still have MDS running (not by my choice) but we did stop all installing of 3rd party apps
Offline  
Old 10-13-2006, 01:00 PM   #15 (permalink)
CrackBerry Addict
 
qc_metal's Avatar
 
Join Date: Mar 2005
Location: Rockford, IL
Model: 9530
OS: 4.7.x
Carrier: Verizon
Posts: 590
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by rliebsch

But it is an excellent point. I mean, the last two handhelds that were lost, were not reported to me until nearly 2 weeks after they had been lost...

sceeery
This is exactly why I wanted to push this policy - we have had quite a few devices stolen or lost, and most of the time, the person has already spent a few days looking for it, only to come to the conclusion that yep, they don't have it any longer.

Typically by now, I can't send a kill command as the battery may have died or the device is out of range at that time.

Then, a new device gets deployed to the user, and once the PIN is associated with their email address, the old device can't synchronize with our BES, which is great - but then again, there is still data on the device. Those are the ones that are the biggest risk for us right now.

I would say out of all devices I've sent a kill command to because of a loss/theft, I've probably had 2 which processed the command completely.

I would love to have a feature in the Management tool that put our stolen/lost PINs in "the parking lot" - so we can repeat our kill commands on a schedule but obviously that would eat into client licenses...or perhaps a paid service that the carrier can provide to send out repeated device kill commands for a window of time.

In any case, because of various people complaining, and others caving, we are going to modify our timeout to 30 minutes (which seems to be slightly longer than the average response here of 20 minutes).

We'll see if the complaining continues...

I most definitely appreciate all your responses. I'm gladd I'm not the only guy in the boat.

Rob
__________________
Provision, maintain, and report on users via web: the NEW BerryStats | FAQ
Offline  
Old 10-16-2006, 12:36 PM   #16 (permalink)
CrackBerry Addict
 
qc_metal's Avatar
 
Join Date: Mar 2005
Location: Rockford, IL
Model: 9530
OS: 4.7.x
Carrier: Verizon
Posts: 590
Post Thanks: 0
Thanked 0 Times in 0 Posts
Angry

grrr. There's always one guy...

Check out this response to my policy - from a user, mind you.

While I appreciate the comments, I do not appreciate the fact that this person thinks they can do our job for us.

As for the responses, I have a few on hand, but I wanted to put this past you guys for a more informed (and less heated) idea for feedback.

Quote:
I take a fairly dim view of the approach to multiple password entry per dayprotection approach.

The problem (company communications network security) isn't well addressed if everyone has a four letter password composed of the same letters or a simple keyslide that can be performed with only the right hand. You'd think we'd be a better group, but the first time you try to unlock your 'company cell phone / blackberry' to place a call on a very long drive, most users realize that simplicty is absolutely essential. I suspect we don't have a great deal password of diversity.

Perhaps there are other ways to approach the problem that better addresses the problem?

Consider password requirements for device-desktop syncronization. Staged password timeout for functionalities with different risks (30 min email lockout, 8 hours phone lockout). Device email lasts a max of one month. Or use-based software that reacts to possible malignant use senarios (like 3rd party software install) and locks out until a password is entered (if such a thing exists).

Ultimately doespasswording do much to protect our company anyway? Denial of service attacks to disable a blackberry enterprise server's corporate network are still a possiblility. MAPI and BBPROXY would seem to be threats if users can install 3rd party programs, and the blackberry's weak use of memory scrubbing (even with crypo) isn't something I much trust or understand. I guess what I'm saying is passwording only seems likely to block out casual (and probably not particularly dangerous) misuse senarios, without appearing to add security against more dangerous hacking or malware threats.

Has therebeen much blackberry abuse/theft/maluse in our company?
__________________
Provision, maintain, and report on users via web: the NEW BerryStats | FAQ
Offline  
Old 10-16-2006, 01:26 PM   #17 (permalink)
CrackBerry Addict
 
qc_metal's Avatar
 
Join Date: Mar 2005
Location: Rockford, IL
Model: 9530
OS: 4.7.x
Carrier: Verizon
Posts: 590
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

My response:

Quote:
%user%,

Thank you for taking the time to respond. This policy has been agreed upon by %our company%'s executive team and mandated by the IS department in an effort to:

· Conform to our security auditor’s requests
· Protect %our company%'s data



It only takes a few minutes for a casual person or a child to delete %our company% data if the device is left unlocked – even if person’s intentions are not malicious. So, a password will in fact prevent most people from trying to get data from the device. And while it is true that we have not implemented the complex password restriction, it is available to us – of course, this is not to say that the IS department will not implement such a restriction in the future. Please note that you as a BlackBerry user are not limited to a 4-digit password, or that there is a ‘standard password’ that people are using – everyone has chosen their own password.

%our company% is comfortable with the (triple-DES encryption) memory scrubbing technique that is part of our BES deployment. As such, appropriate safeguards are (and have been) in place to protect %our company% data at the device and server level, including the denial of service vulnerability as you mentioned.

No electronic system is 100% safe or foolproof, but it can be made substantially safer if we all maintain an effort to secure %our company%'s proprietary assets and information.

If you have any further comments or questions regarding this policy, please refer them to my manager, %my manager%.

Regards,

Rob
I didn't want to get into a techie battle with him, but wanted to go over the fact that this is not his choice, and it will in fact help us protect our data, since 99% of thefts are usually people concerned with the device, and have no care for the data.

What do you think?
__________________
Provision, maintain, and report on users via web: the NEW BerryStats | FAQ
Offline  
Old 10-16-2006, 01:37 PM   #18 (permalink)
Thumbs Must Hurt
 
Join Date: Mar 2006
Model: 8800c
Carrier: Cingular
Posts: 112
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Nice job, QC! It professionally defends your and your company's position, and is non-offensive while taking any ands-ifs-and-buts out of the equation. If it's not copy-righted, I'd likely steal it for replies to our user community.

If the patience and euphemisms in your reply were money, you could retire.
Offline  
Old 10-16-2006, 02:22 PM   #19 (permalink)
CrackBerry Addict
 
qc_metal's Avatar
 
Join Date: Mar 2005
Location: Rockford, IL
Model: 9530
OS: 4.7.x
Carrier: Verizon
Posts: 590
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Go for it - Trust me, it took a lot to not be a little heated...!
__________________
Provision, maintain, and report on users via web: the NEW BerryStats | FAQ
Offline  
Old 10-17-2006, 08:49 AM   #20 (permalink)
Thumbs Must Hurt
 
Join Date: Aug 2005
Location: Charlottetown, PEI, Canada
Model: 7250
Carrier: Bell
Posts: 95
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

hmm - we increased out lock time to 15 mins from 5 mins after massive user complaints - my personal favorite was that it was too difficult for a user to unlock his bb while driving to check his email (!). We have disabled MDS, 3rd party apps, all messenger services. The password has to be min 5 characters which is very easy compared to the strong password on the desktop, we enforce a change after 120 days, no patterns or repeats allowed. The device will self-wipe after 5 incorrect password attempts.
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On





Copyright © 2004-2014 BlackBerryForums.com.
The names RIM © and BlackBerry © are registered Trademarks of BlackBerry Inc.