[tekware]

Help, couldn't get in (Z10) after locking with new number in picture lock included in the new OS.
I am on fifth try and need help.
It asks me to enter "blackberry" but it doesn't do anything after I do.

Do as it asks. Type "blackberry" [Enter] and then you will be asked for your device password. Enter that. This is all so that some child couldn't accidentally wipe your phone by playing with the picture numbers.

[Raestloz]

We know that security is always most vulnerable to social engineering (human nature). So that leads me to the question; Should we avoid using what I call the pivot point numbers: 0, 1, 5, 9? Is it in human nature for someone trying to brute force the unlock to start with those numbers? Yes they only have 5 tries in any given session. But, if this is someone you are around a lot (life partner, business associate) they can try 3 times making note of what they tried, wait for you to unlock to reset the try count and try again later. Overtime, they will have tried many combinations.

Next, are they likely to try 0, 1, 2, 3 followed by 9, 8, 7?

So if we think we understand these human traits, what do we do? I recommend, changing it occasionally. That is always a good practice for unlock information anyway. If you suspect someone is attempting the 3 tries and stop method, you can detect that by purposely doing it wrong 2 times and see if it gives the 5 tries warning. If so, you know someone already used some tries.

This out-of-the-box idea is sparking some very fun mental exercises.

There is no point to try to change. Out of the available space in 720 x 720 pixels in a Q device, you can have any number at any place. Even if you can guess the number, guessing the place is bordering impossible

Z10 STL100-1/10.2.1.1925

[bobshine]

We know that security is always most vulnerable to social engineering (human nature). So that leads me to the question; Should we avoid using what I call the pivot point numbers: 0, 1, 5, 9? Is it in human nature for someone trying to brute force the unlock to start with those numbers? Yes they only have 5 tries in any given session. But, if this is someone you are around a lot (life partner, business associate) they can try 3 times making note of what they tried, wait for you to unlock to reset the try count and try again later. Overtime, they will have tried many combinations.

Next, are they likely to try 0, 1, 2, 3 followed by 9, 8, 7?

So if we think we understand these human traits, what do we do? I recommend, changing it occasionally. That is always a good practice for unlock information anyway. If you suspect someone is attempting the 3 tries and stop method, you can detect that by purposely doing it wrong 2 times and see if it gives the 5 tries warning. If so, you know someone already used some tries.

This out-of-the-box idea is sparking some very fun mental exercises.

You're right, like with any password it's better to be careful.

Regularly changing password is important.

Posted via CB10

[gg bb]

People aren't getting it. The chances of guessing the picture password combination and unlocking a phone are low enough to make it unlikely. Less than 1 in 1000 with 5 tries.

But with 50 numbers on the screen, the chances of a random unlocking are high enough that its possible.

Choose 2 or more numbers and the only flaw is fixed

[conkybubs]

I don't the think picture password was ever intended to be the most secure against random tries, bumps or brute force....the main feature is simply people can watch you enter it and have no clue what your code is. No need for you to hide your phone and look over your shoulder every time you enter your password.

If you want a more secure code against brute force, go ahead and use a regular alphanumeric password....BUT, you have to be careful and hide it every time you enter it.

Posted via CB10

[james pisano]

It is definitely the most secure in terms of trying to enter the code while around people you might not trust, BUT it is not the most secure in terms of a brute force method. E.g. If someone tried to unlock it by randomly trying different variations.

Lets consider the number of combinations for the picture password lock.
First, there are 7 columns of numbers and 9 rows of numbers. So every single time you try, you are really trying 7x9=63 combinations and at once.

The picture password lock also has a little bit of leeway if you place the number slightly off center to where it is supposed to be and I estimate you can be off by about 1/5th to 1/6th of the way in either direction ( horizontally or vertically) before the phone assumes you got it wrong. If we try to find the number of possible "locations" you can place a number, it is basically the number of "number" widths multiplied by the variance. We already said there are 7columns, so 7x6=42 (where 6 is the variance)
Is the number of horizontal positions possible.
Likewise for vertical positions. 9x6=54

So the number of possible positions to place a number is 42x54 = 2268
Since there are 10 possible digits 0-9, further multiply by 10.
=22680
But wait, we initially said you are trying 63 numbers at once, so 22680/63 = 360

Another way to think of it is that there is a 1/6th variance in each direction of each of the numbers, and the re are 10 numbers. So 6x6x10=360.

So the chance of someone randomly being able to get the correct number to the correct position is 1 in 360.
Since they have 5 tries before it goes to your other password, 5 in 360. Or 1 in 72.

This is a conservative number as well since I said it is 1/5th to 1/6th variance. If it is only 1/5th variance, chance of guessing is 1 in 50.

So no, in actuality, it is a pretty insecure way to protect your phone. People can't try and look at you enter the password to guess it, but their chances of randomly guessing it are pretty high.




On the other hand, for a password lock there are M^N possibilities where M is the number of possible characters and N is the length of your password. If we consider 26 lowercase, 26 upper case, 10 numbers, and 42 symbols (I counted my BB keyboard, lol) you have (26+26+10+42)^N possibilities.
With a password of length 1, the chance of them guessing your password is 1/104 each time. Or almost 1/21 with the first 5 tries. Yeah... your picture password lock is only twice as better than a password of length 1.....


Posted via CB10

That's a very interesting analysis. I'm a big proponent of security and started using picture password and now I'm not sure what I'll do. I did lower the time before my phone locks to 15 minutes, so in that sense, I've increased my security, in as much as I'm away from my phone. Anyway, thanks for that. Appreciate seeing how to evaluate the strength of a password.

Via CB10 & Z10 or Q10

[james pisano]

Why couldn't BB limit the number of attempts to three before forcing the alphanumeric password?

They could also, as others have said, increase the number of required digit-location combinations to two. Seems this would dramatically increase the security of the password.

Via CB10 & Z10 or Q10

[bennelong]

I just repeatedly locked my device and tried sets of four 'blind swipes' until it unlocked on the 89th attempt.
Given the odds against an unauthorised unlocking attempt ever actually occurring, combined with the fact that only five attempts are possible before the password prompt, I think that my device is pretty well locked.
As already mentioned, there's always the option to not use the Picture Password should a person or organisation be unable to risk a random unlocking event - and also that there should be built into it, a setting to limit unlocking attempts should the owner want it that way.


Posted via CB10 on a Z10

[Stef007]

Why couldn't BB limit the number of attempts to three before forcing the alphanumeric password?

They could also, as others have said, increase the number of required digit-location combinations to two. Seems this would dramatically increase the security of the password.

Via CB10 & Z10 or Q10

Is my understanding correct that what you suggest is to have the grid with numbers stop in at least 2 locations therefore aligning 2 numbers in different spots in order to unlock? For instance you will slide the grid with the first number is the first spot, stop there for 1 second - without lifting your finger from the screen - until it will signal that it acknowledged that attempt (for instance by turning all numbers in a different color or making them bold) and then you will slide the grid so the 2nd number gets in the 2nd spot and release it. This would make it way more secure and on the other hand it will still be a quick unlock option.

This was posted on the wonderful BB Z10, STL100-3, 10.2.1.537

[MrGlenn]

Sure, a two-stage solution to Picture Password would be awesome and make it even more secure! But right now I think it already is the best 'defense' against situations where people can watch you use your device. Passwords can be read, patterns can be remembered, for PP neither is relevant.

...This would make it way more secure and on the other hand it will still be a quick unlock option...

I did notice one strange thing though. The BlackBerry Help Blog states that this protects against random attempts/brute force by requiring a minimum moved distance. This could help in the cases where the number is generated on the exact location (0 movement = unlock).

Brute Force Attack � Picture Password addresses brute force attacks by limiting the number of guesses, varying the size, location, and pattern of the grid numbers and requiring minimum movement of the number grid.

But in my experience, the minimum movement required is so small, it even registers slightly tapping the screen, so '0 movement = unlock' can still happen.

[K man13]

Is there anyway to lock the phone without waiting for the lock time out period?

Posted via CB10

[jafrul]

Is there anyway to lock the phone without waiting for the lock time out period?

Posted via CB10

Hold top button few seconds


Posted via Awesome Astro flying10.2.1.1925 on CB10. For a regular dose of Quotes, subscribe C001190A9 .

[bennelong]

Hold top button few seconds


Posted via Awesome Astro flying10.2.1.1925 on CB10. For a regular dose of Quotes, subscribe C001190A9 .

...and you'll be presented with the option to either Cancel (the turning off process), Lock or Restart your phone.

Posted via CB10 on a Z10

[Bishkin]

I just repeatedly locked my device and tried sets of four 'blind swipes' until it unlocked on the 89th attempt.
Given the odds against an unauthorised unlocking attempt ever actually occurring, combined with the fact that only five attempts are possible before the password prompt, I think that my device is pretty well locked.
As already mentioned, there's always the option to not use the Picture Password should a person or organisation be unable to risk a random unlocking event - and also that there should be built into it, a setting to limit unlocking attempts should the owner want it that way.


Posted via CB10 on a Z10

I don't know if it is already so, but the grids generated should never have the correct number placed on the exact location. Coupled with a 16 character alphanumeric password, the only way then to get into the phone would be to say smash it hard against the wall.

[bennelong]

I don't know if it is already so, but the grids generated should never have the correct number placed on the exact location. Coupled with a 16 character alphanumeric password, the only way then to get into the phone would be to say smash it hard against the wall.

If the number's over the correct position to commence with it won't work until it is moved and repositioned.
It's like walking downtown, where your odds of being struck by a car seem to be statistically quite high, yet with the proper rules in place and some common sense - we manage to remain safe.

Posted via CB10 on a Z10

[james pisano]

Is my understanding correct that what you suggest is to have the grid with numbers stop in at least 2 locations therefore aligning 2 numbers in different spots in order to unlock? For instance you will slide the grid with the first number is the first spot, stop there for 1 second - without lifting your finger from the screen - until it will signal that it acknowledged that attempt (for instance by turning all numbers in a different color or making them bold) and then you will slide the grid so the 2nd number gets in the 2nd spot and release it. This would make it way more secure and on the other hand it will still be a quick unlock option.

This was posted on the wonderful BB Z10, STL100-3, 10.2.1.537

Yes, but to be fair, I believe others already mentioned it. The idea, I think I raised was to make it a 3 attempt process before being forced to enter your password rather than 5. But I think both ideas are good.

In any event, I'm big on security and I love it. I still have all the back end encryption, but I also have easy access and when I show the screen to people, they don't know where to begin to try and unlock my Z. And when I tell them how it works, and do it in front of them, they are totally baffled.

Via CB10 & Z10 or Q10

[gg bb]

Is my understanding correct that what you suggest is to have the grid with numbers stop in at least 2 locations therefore aligning 2 numbers in different spots in order to unlock? For instance you will slide the grid with the first number is the first spot, stop there for 1 second - without lifting your finger from the screen - until it will signal that it acknowledged that attempt (for instance by turning all numbers in a different color or making them bold) and then you will slide the grid so the 2nd number gets in the 2nd spot and release it. This would make it way more secure and on the other hand it will still be a quick unlock option.

This was posted on the wonderful BB Z10, STL100-3, 10.2.1.537

This is not what I would want. Its better to allow for change number and picture for 2 stage picture password. The stop hold move method can be very tricky if the numbers and locations fall the wrong way involving swapping fingers without letting one go then stop too long might be concidered a guess, its also potentially vulnerable to smudge attack.

My prefered solution:
picture password works the same as it does now only if you chose a 2 stage password instead of unlocking after fiirst picture/number you are presented with second picture/number right up to a maximum of 4 numbers pictures. Most people would be happy with 1 or 2 number pictures but the solution is scalable for all requirements.
The rule of 5 wrong answers revert to character would remain.
Only question is whether after getting first number wrong the user is notified and the password attempt starts from position 1 again with 1 chance used or if the user must enter all numbers before being told they have messed up on at least one of them. I was thinking the second although others have suggested the first which although less secure is still much more secure than the current 1 number is all you can have and is probably the most intuitive.

The other benefit of this those using one number not wanting to change the proposed change would not effect them in any way, the only way a user would be effected if this change was implemented is that on changing picture password settings they would be prompted if they want to choose another number/picture upto 3 more times till they select thats enough numbers or provide 4 numbers.

[Stef007]

And another thing I would suggest to BlackBerry is that they should treat this PP option the same as the simple password option from the IT policy point of view when using an exchange email account. I would love to use it but that means that I need to disable my work exchange account which I'm not willing to do.

This was posted on the wonderful BB Z10, STL100-3, 10.2.1.537

[unclebanglin]

I was sad when I saw that I couldn't use picture password with my work exchange email.

Oh well. Back to simple pass

Posted via CB10