1. chetmanley's Avatar
    Hello,

    This is something I've missed since BB10. As far as I know, BB10 doesn't have a max character limit on device passwords.

    I've read that people have compiled their own versions of android with a 100 character limit without apparent issue.

    Is this default limit of 17 something that BB can remove or increase in future builds?

    Edit: The character limit is 16

    "Your password must be fewer than 17 characters."

    Update: BB10 limit is 32 characters. iOS is 32 also (thanks Conite)
    Last edited by chetmanley; 04-15-19 at 11:23 AM.
    04-13-19 07:37 AM
  2. BigBadWulf's Avatar
    What is the statistical possibility one could crack a 17 character password in 10 attempts?

    Ahhhhh... this provides some interesting clues.
    04-13-19 08:42 AM
  3. chetmanley's Avatar
    What is the statistical possibility one could crack a 17 character password in 10 attempts?

    Ahhhhh... this provides some interesting clues.
    Not really the point. One could make the same argument for a 4 or 6 digit pin in 10 attempts, but no one would argue that is secure. This is also assuming the password is attacked in the user interface, and not via some other method which may bypass the attempt limit.

    BB10 only had a minimum limit of 4, but seemingly no upper limit.

    I'm sure it would be simple for BB to tweak so a user could choose any password length they would like.
    04-13-19 11:10 AM
  4. BigBadWulf's Avatar
    This is also assuming the password is attacked in the user interface, and not via some other method which may bypass the attempt limit.
    Wouldn't that require someone who cares about security to leave USB debugging enabled?

    I'm sure it would be simple for BB to tweak so a user could choose any password length they would like.
    Maybe possible, but worth any effort? I can dig you want it, but can't picture there being much interest overall.
    04-13-19 11:24 AM
  5. chetmanley's Avatar
    Wouldn't that require someone who cares about security to leave USB debugging enabled?
    I'm not sure what methods could be used to be honest. I was thinking more along the lines of a chip-off which is obviously destructive in nature, but if it is possible via a USB connection in any way, that is sorta concerning.

    We know cellebrite produces specialized USB cables which work to bypass device security. I'd love to learn how.

    I have another concern regarding something written on the Fastboot screen. It says Mode: Product

    This begs the question - are there other modes? I imagine some sort of "factory mode" or who knows.

    Maybe these specialized USB cables can invoke these modes (assuming they exist), which would allow the attacker free access to the device, or maybe it would disable the attempt limit, allowing a computer to brute force it.

    Perhaps some android programming experts on the forum here can weigh in?

    Maybe possible, but worth any effort? I can dig you want it, but can't picture there being much interest overall.
    If you have a chance, that would be great, thanks!
    04-13-19 11:32 AM
  6. bb10adopter111's Avatar
    What is the statistical possibility one could crack a 17 character password in 10 attempts?

    Ahhhhh... this provides some interesting clues.
    With modern PW managers it's almost criminal not to use very long, complex hashes for all PWs. I would never suggest capping the length at a number less than 40, and 100+ character PWs are used for assets much less exploitable than a personal or work smartphone.

    17 seems pretty stingy to me.

    Posted with my trusty Z10
    04-13-19 01:48 PM
  7. BigBadWulf's Avatar
    With modern PW managers it's almost criminal not to use very long, complex hashes for all PWs. I would never suggest capping the length at a number less than 40, and 100+ character PWs are used for assets much less exploitable than a personal or work smartphone.

    17 seems pretty stingy to me.

    Posted with my trusty Z10
    You type 40+ characters every time you access your phone?
    04-13-19 02:10 PM
  8. bb10adopter111's Avatar
    You type 40+ characters every time you access your phone?
    I didn't actually say that. I said I don't understand the logic of an OS capping any PW length at less than 40. What a user wants to use for their PW length is up to them, based on their risk appetite and threat environment. My pass phrase on my PC is almost 40 chars long, and I type it very quickly.

    Posted with my trusty Z10
    chetmanley and Jake2826 like this.
    04-13-19 02:19 PM
  9. bb10adopter111's Avatar
    04-13-19 02:19 PM
  10. conite's Avatar
    I didn't actually say that. I said I don't understand the logic of an OS capping any PW length at less than 40. What a user wants to use for their PW length is up to them, based on their risk appetite and threat environment. My pass phrase on my PC is almost 40 chars long, and I type it very quickly.

    Posted with my trusty Z10
    Does your entire PC get nuked after 10 failed attempts?
    ppeters914 likes this.
    04-13-19 03:27 PM
  11. conite's Avatar
    This is also assuming the password is attacked in the user interface, and not via some other method which may bypass the attempt limit.
    If we're coming up with completely hypothetical compromises, why couldn't the the entire password screen be bypassed?

    Seems completely arbitrary.
    04-13-19 03:32 PM
  12. bb10adopter111's Avatar
    Does your entire PC get nuked after 10 failed attempts?
    I agree that's a great control, but again, I'm not arguing that someone SHOULD set a very long password, just that the OS should allow it.

    Posted with my trusty Z10
    Jake2826 likes this.
    04-13-19 03:32 PM
  13. BigBadWulf's Avatar
    I didn't actually say that. I said I don't understand the logic of an OS capping any PW length at less than 40. What a user wants to use for their PW length is up to them, based on their risk appetite and threat environment. My pass phrase on my PC is almost 40 chars long, and I type it very quickly.

    Posted with my trusty Z10
    Android device password - Max 17 characters?-th_splode.gif
    04-13-19 03:34 PM
  14. conite's Avatar
    I agree that's a great control, but again, I'm not arguing that someone SHOULD set a very long password, just that the OS should allow it.

    Posted with my trusty Z10
    But the length is completely arbitrary. No one can argue that 1 million characters is not better than 100 characters either.

    The fact is, 17 has been chosen as an acceptable string length by a developer that is attempting to balance resources, and every conceivable metric says it is already overkill.
    04-13-19 03:37 PM
  15. bb10adopter111's Avatar
    It's common for important systems these days to have very long hashed passwords. If they are truly random, the exact length is arbitrary, obviously, and you're right that, with brute force attacks not an option with the 10 incorrect attempt limit. But 17 really isn't a very long limit in 2019.
    Jake2826 likes this.
    04-13-19 04:11 PM
  16. chetmanley's Avatar
    If we're coming up with completely hypothetical compromises, why couldn't the the entire password screen be bypassed?

    Seems completely arbitrary.
    On many devices, it can be.
    04-13-19 04:29 PM
  17. chetmanley's Avatar
    But the length is completely arbitrary. No one can argue that 1 million characters is not better than 100 characters either.

    The fact is, 17 has been chosen as an acceptable string length by a developer that is attempting to balance resources, and every conceivable metric says it is already overkill.
    Why is the length completely arbitrary?

    Why was 17 chosen as an acceptable string length? That seems arbitrary to me. As I stated in the first post, I did some reading and it appears some developers built their own android version with a password length of 100 without any apparent negative affects...

    BB10 doesn't appear to have a limit - if it does, its definitely more than 17 and I can't find it mentioned in the documentation.

    I'm sure it would take very little effort for BB to change a single variable to allow longer passwords on their devices.
    04-13-19 04:39 PM
  18. chetmanley's Avatar
    Found this article from last year discussing Android Physical Access.

    There is a section which describes how USB cables are used. Pretty interesting. Makes me wonder if BB has baked in a similar mode to their version of android....

    https://blog.elcomsoft.com/2018/05/d...l-acquisition/
    Jake2826 likes this.
    04-13-19 04:47 PM
  19. conite's Avatar
    Why is the length completely arbitrary?

    Why was 17 chosen as an acceptable string length? That seems arbitrary to me. As I stated in the first post, I did some reading and it appears some developers built their own android version with a password length of 100 without any apparent negative affects...

    BB10 doesn't appear to have a limit - if it does, its definitely more than 17 and I can't find it mentioned in the documentation.

    I'm sure it would take very little effort for BB to change a single variable to allow longer passwords on their devices.
    If your argument is that the system could be compromised anyway, then the whole discussion is moot.

    The fact is, 17 characters with a wipe after 10 tries is many orders of magnitude more than is necessary already.
    BigBadWulf likes this.
    04-13-19 05:10 PM
  20. Jake2826's Avatar
    Found this article from last year discussing Android Physical Access.

    There is a section which describes how USB cables are used. Pretty interesting. Makes me wonder if BB has baked in a similar mode to their version of android....

    https://blog.elcomsoft.com/2018/05/d...l-acquisition/
    Great post. Thanks for sharing. Not many in the mainstream would like to discuss this kind of thing, but I know many BlackBerry users would.
    chetmanley likes this.
    04-13-19 05:14 PM
  21. chetmanley's Avatar
    If your argument is that the system could be compromised anyway, then the whole discussion is moot.

    The fact is, 17 characters with a wipe after 10 tries is many orders of magnitude more than is necessary already.
    Agreed, if the entire system can be compromised, and a number of devices have been.

    What I'm arguing is that new exploits are being discovered all the time. Perhaps on a BB device, the entire system can't be compromised like a Samsung or LG for example, but maybe the 10 attempt limit could be deactivated one day.

    In this scenario, 17 characters may not be sufficient.

    The bottom line, in my opinion, there is zero reason to be arguing for an arbitrary number of 17 characters. As I countered earlier, with a 10 attempt limit, the odds of brute forcing even a 4 digit pin are not that great - doesn't mean its a great password.

    There is no reason why it couldn't be increased to accommodate users who tend to prefer stronger passwords as a habit pattern. Everyone else can keep locking their devices with 1234 and be none the wiser.
    04-13-19 05:18 PM
  22. Jake2826's Avatar
    It's common for important systems these days to have very long hashed passwords. If they are truly random, the exact length is arbitrary, obviously, and you're right that, with brute force attacks not an option with the 10 incorrect attempt limit. But 17 really isn't a very long limit in 2019.
    bb10adopter111:

    You might be interested that companies such as Cellebrite are currently using exploits in Android, in which the length of the password is barely a concern.

    Check out the reports posted...

    https://blog.elcomsoft.com/2018/05/d...l-acquisition/
    @chetmanley periodically posts the advancements Cellebrite makes with their extraction technology, and the list of devices they are able to extract from is starting to get very long.

    The architecture of BB10 with its much smaller code base then Android means that it is still more secure then Android could ever hope to be simply because of Android's size and ever changing code.
    04-13-19 05:28 PM
  23. conite's Avatar
    Agreed, if the entire system can be compromised, and a number of devices have been.

    What I'm arguing is that new exploits are being discovered all the time. Perhaps on a BB device, the entire system can't be compromised like a Samsung or LG for example, but maybe the 10 attempt limit could be deactivated one day.

    In this scenario, 17 characters may not be sufficient.

    The bottom line, in my opinion, there is zero reason to be arguing for an arbitrary number of 17 characters. As I countered earlier, with a 10 attempt limit, the odds of brute forcing even a 4 digit pin are not that great - doesn't mean its a great password.

    There is no reason why it couldn't be increased to accommodate users who tend to prefer stronger passwords as a habit pattern. Everyone else can keep locking their devices with 1234 and be none the wiser.
    Using an alphanumeric password with a special character, it would take an average of 2 centuries to crack 12 characters.

    17 characters is well into the 10^17 year vicinity.

    And those figures don't even include for the typing time.
    BigBadWulf likes this.
    04-13-19 05:51 PM
  24. BigBadWulf's Avatar
    Conclusion

    While suppliers of forensic software may claim support for tens thousands of models, the actual probability of successfully extracting a random Android smartphones is low because of the encryption. While exploits do exist allowing experts to overcome encryption on certain device models, these methods are far from universal, and will generally only work on smartphones featuring FDE with no Secure Startup. Any other configuration would require attacking the passcode on the device itself, and this may be problematic or impossible even if the device is on the list of supported models.

    Are encrypted Android devices secure or not? Compared to a recent iPhone (such as the iPhone 7, 8 and X), an average Android smartphone would be inherently less secure. For many Android smartphones one can develop an exploit based on one or the other unpatchable vulnerability. Granted, the code may not exist, but it can be developed: the direction is clear, and all the right tools are there. On the other hand, imaging an iOS device always requires breaking the passcode first, which can be done by one of the two companies (Cellebrite and GrayShift) and is a subject to multiple “ifs” and “buts”
    It's not that I agree 17 should be the limit, but if you need more, you don't look to CrackBerry for advice.
    04-13-19 06:13 PM
  25. chetmanley's Avatar
    Using an alphanumeric password with a special character, it would take an average of 2 centuries to crack 12 characters.

    17 characters is well into the 10^17 year vicinity.

    And those figures don't even include for the typing time.
    If an attacker uses word lists containing previously leaked password databases and commonly used passwords with typical password rules, then that time can be reduced significantly from what I understand.

    There are some interesting Youtube videos on the topic which demo how a desktop computer using multiple graphics cards can brute force alphanumeric passwords of 8 characters in minutes if not seconds using this method.

    I'm not an expert on the topic, but I'm trying to learn.
    04-13-19 06:15 PM
107 123 ...

Similar Threads

  1. Why can't I access Android apps on my PlayBook?
    By CephasMwalaba in forum BlackBerry PlayBook
    Replies: 4
    Last Post: 04-18-19, 09:06 PM
  2. QNX operating on Android?
    By yeo123 in forum BlackBerry Classic
    Replies: 14
    Last Post: 04-14-19, 01:29 PM
  3. DTEK by BlackBerry is showing device status as poor.
    By Srinivas Pachipula in forum Ask a Question
    Replies: 3
    Last Post: 04-12-19, 02:13 PM
  4. Skype Preview brings screen sharing to Android and iOS
    By CrackBerry News in forum CrackBerry.com News Discussion & Contests
    Replies: 0
    Last Post: 04-12-19, 01:51 PM
  5. Directly show password ?
    By Blackberrydz in forum BlackBerry Priv
    Replies: 0
    Last Post: 04-12-19, 07:57 AM
LINK TO POST COPIED TO CLIPBOARD