UPDATE: Shortly after posting this entry, I heard from RIM's PR and Social Media Manager Alex Kinsella via Twitter, and he informed me that the blocked passwords in the list are not device passwords, but BlackBerry ID passwords. BlackBerry users must create BlackBerry IDs to use RIM services such as its BlackBerry World app store. In other words, BlackBerry users will still be able to use the passwords to lock their devices, but they will not be able to use them as BlackBerry ID passwords. That makes a bit more sense to me, but the whole Can't Fix Stupid thing still applies to BlackBerry ID passwords.
Earlier this week, some nerd digging through code in RIM's latest BlackBerry 10 developer software build noticed a file that appears to contain a list of commonly-used passwords that will be blocked when BlackBerry 10 is launched on January 30, 2013. RIM has always been a security-conscious organization, and its products have always been designed with security in mind. While the idea of blocking simple or common passwords sounds like a good idea, there's one big problem: As the saying goes, you can't fix stupid. You also can't block stupid.
If you're interested in the specific passwords you can find them listed on RapidBerry.net, the site that originally reported on the blocked BlackBerry 10 passwords. I read the news Monday, and I wasn't planning on writing about it, because RIM has not confirmed that the passwords will actually be blocked in BlackBerry 10. But I'd been thinking about the effectiveness of such a measure, and I received a comment from John Yeo, Director, SpiderLabs EMEA, a division of IT security and compliance company Trustwave, that motivated me to share my take.
"While preventing users from choosing bad passwords such as 'password' may seem like it would increase security, this move is just a token measure that does little to increase security and likely a lot to frustrate users. Instead of blacklisting a few words, a more secure option would be to enforce some basic password complexity requirement. Also, consider now there is a list of 106 known unusable passwords that someone malicious needn't bother trying."
I agree with Yeo that blocking 106 passwords really won't increase BlackBerry security, and he's right that enforcing some level of password complexity would be more effective. I don't think blocking the passwords could hurt, though, as he suggested; advanced hackers who really want to crack a BlackBerry will likely use some sort of brute-force attack that would blow through 106 password combination in no time flat anyway.
People who don't care about mobile device security still won't care about it when they can't use specific passwords on their BlackBerrys. They probably won't use any passwords at all, and if they want to use simple, easy-to-remember passwords, they'll still find some other easy password that's not on RIM's list, such as their birthdays or their kid's middle name.
In the end, mobile device security falls on the user, and if that user is "stupid" about security, RIM will not be able to fix that.