Android device password - Max 17 characters?
- Hello,
This is something I've missed since BB10. As far as I know, BB10 doesn't have a max character limit on device passwords.
I've read that people have compiled their own versions of android with a 100 character limit without apparent issue.
Is this default limit of 17 something that BB can remove or increase in future builds?
Edit: The character limit is 16
"Your password must be fewer than 17 characters."
Update: BB10 limit is 32 characters. iOS is 32 also (thanks Conite)Last edited by chetmanley; 04-15-19 at 11:23 AM.
04-13-19 07:37 AMLike 0 - What is the statistical possibility one could crack a 17 character password in 10 attempts?
Ahhhhh... this provides some interesting clues.
BB10 only had a minimum limit of 4, but seemingly no upper limit.
I'm sure it would be simple for BB to tweak so a user could choose any password length they would like.04-13-19 11:10 AMLike 0 -
Maybe possible, but worth any effort? I can dig you want it, but can't picture there being much interest overall.04-13-19 11:24 AMLike 0 -
We know cellebrite produces specialized USB cables which work to bypass device security. I'd love to learn how.
I have another concern regarding something written on the Fastboot screen. It says Mode: Product
This begs the question - are there other modes? I imagine some sort of "factory mode" or who knows.
Maybe these specialized USB cables can invoke these modes (assuming they exist), which would allow the attacker free access to the device, or maybe it would disable the attempt limit, allowing a computer to brute force it.
Perhaps some android programming experts on the forum here can weigh in?
Maybe possible, but worth any effort? I can dig you want it, but can't picture there being much interest overall.04-13-19 11:32 AMLike 0 - What is the statistical possibility one could crack a 17 character password in 10 attempts?
Ahhhhh... this provides some interesting clues.
17 seems pretty stingy to me.
Posted with my trusty Z1004-13-19 01:48 PMLike 0 - With modern PW managers it's almost criminal not to use very long, complex hashes for all PWs. I would never suggest capping the length at a number less than 40, and 100+ character PWs are used for assets much less exploitable than a personal or work smartphone.
17 seems pretty stingy to me.
Posted with my trusty Z1004-13-19 02:10 PMLike 0 - I didn't actually say that. I said I don't understand the logic of an OS capping any PW length at less than 40. What a user wants to use for their PW length is up to them, based on their risk appetite and threat environment. My pass phrase on my PC is almost 40 chars long, and I type it very quickly.
Posted with my trusty Z10chetmanley and Jake2826 like this.04-13-19 02:19 PMLike 2 -
- I didn't actually say that. I said I don't understand the logic of an OS capping any PW length at less than 40. What a user wants to use for their PW length is up to them, based on their risk appetite and threat environment. My pass phrase on my PC is almost 40 chars long, and I type it very quickly.
Posted with my trusty Z10ppeters914 likes this.04-13-19 03:27 PMLike 1 -
Seems completely arbitrary.04-13-19 03:32 PMLike 0 - I didn't actually say that. I said I don't understand the logic of an OS capping any PW length at less than 40. What a user wants to use for their PW length is up to them, based on their risk appetite and threat environment. My pass phrase on my PC is almost 40 chars long, and I type it very quickly.
Posted with my trusty Z1004-13-19 03:34 PMLike 0 -
The fact is, 17 has been chosen as an acceptable string length by a developer that is attempting to balance resources, and every conceivable metric says it is already overkill.04-13-19 03:37 PMLike 0 - It's common for important systems these days to have very long hashed passwords. If they are truly random, the exact length is arbitrary, obviously, and you're right that, with brute force attacks not an option with the 10 incorrect attempt limit. But 17 really isn't a very long limit in 2019.Jake2826 likes this.04-13-19 04:11 PMLike 1
-
- But the length is completely arbitrary. No one can argue that 1 million characters is not better than 100 characters either.
The fact is, 17 has been chosen as an acceptable string length by a developer that is attempting to balance resources, and every conceivable metric says it is already overkill.
Why was 17 chosen as an acceptable string length? That seems arbitrary to me. As I stated in the first post, I did some reading and it appears some developers built their own android version with a password length of 100 without any apparent negative affects...
BB10 doesn't appear to have a limit - if it does, its definitely more than 17 and I can't find it mentioned in the documentation.
I'm sure it would take very little effort for BB to change a single variable to allow longer passwords on their devices.04-13-19 04:39 PMLike 0 - Found this article from last year discussing Android Physical Access.
There is a section which describes how USB cables are used. Pretty interesting. Makes me wonder if BB has baked in a similar mode to their version of android....
https://blog.elcomsoft.com/2018/05/d...l-acquisition/Jake2826 likes this.04-13-19 04:47 PMLike 1 - Why is the length completely arbitrary?
Why was 17 chosen as an acceptable string length? That seems arbitrary to me. As I stated in the first post, I did some reading and it appears some developers built their own android version with a password length of 100 without any apparent negative affects...
BB10 doesn't appear to have a limit - if it does, its definitely more than 17 and I can't find it mentioned in the documentation.
I'm sure it would take very little effort for BB to change a single variable to allow longer passwords on their devices.
The fact is, 17 characters with a wipe after 10 tries is many orders of magnitude more than is necessary already.BigBadWulf likes this.04-13-19 05:10 PMLike 1 - Found this article from last year discussing Android Physical Access.
There is a section which describes how USB cables are used. Pretty interesting. Makes me wonder if BB has baked in a similar mode to their version of android....
https://blog.elcomsoft.com/2018/05/d...l-acquisition/chetmanley likes this.04-13-19 05:14 PMLike 1 -
What I'm arguing is that new exploits are being discovered all the time. Perhaps on a BB device, the entire system can't be compromised like a Samsung or LG for example, but maybe the 10 attempt limit could be deactivated one day.
In this scenario, 17 characters may not be sufficient.
The bottom line, in my opinion, there is zero reason to be arguing for an arbitrary number of 17 characters. As I countered earlier, with a 10 attempt limit, the odds of brute forcing even a 4 digit pin are not that great - doesn't mean its a great password.
There is no reason why it couldn't be increased to accommodate users who tend to prefer stronger passwords as a habit pattern. Everyone else can keep locking their devices with 1234 and be none the wiser.04-13-19 05:18 PMLike 0 - It's common for important systems these days to have very long hashed passwords. If they are truly random, the exact length is arbitrary, obviously, and you're right that, with brute force attacks not an option with the 10 incorrect attempt limit. But 17 really isn't a very long limit in 2019.
You might be interested that companies such as Cellebrite are currently using exploits in Android, in which the length of the password is barely a concern.
Check out the reports posted...
https://blog.elcomsoft.com/2018/05/d...l-acquisition/
@chetmanley periodically posts the advancements Cellebrite makes with their extraction technology, and the list of devices they are able to extract from is starting to get very long.
The architecture of BB10 with its much smaller code base then Android means that it is still more secure then Android could ever hope to be simply because of Android's size and ever changing code.04-13-19 05:28 PMLike 0 - Agreed, if the entire system can be compromised, and a number of devices have been.
What I'm arguing is that new exploits are being discovered all the time. Perhaps on a BB device, the entire system can't be compromised like a Samsung or LG for example, but maybe the 10 attempt limit could be deactivated one day.
In this scenario, 17 characters may not be sufficient.
The bottom line, in my opinion, there is zero reason to be arguing for an arbitrary number of 17 characters. As I countered earlier, with a 10 attempt limit, the odds of brute forcing even a 4 digit pin are not that great - doesn't mean its a great password.
There is no reason why it couldn't be increased to accommodate users who tend to prefer stronger passwords as a habit pattern. Everyone else can keep locking their devices with 1234 and be none the wiser.
17 characters is well into the 10^17 year vicinity.
And those figures don't even include for the typing time.BigBadWulf likes this.04-13-19 05:51 PMLike 1 - Conclusion
While suppliers of forensic software may claim support for tens thousands of models, the actual probability of successfully extracting a random Android smartphones is low because of the encryption. While exploits do exist allowing experts to overcome encryption on certain device models, these methods are far from universal, and will generally only work on smartphones featuring FDE with no Secure Startup. Any other configuration would require attacking the passcode on the device itself, and this may be problematic or impossible even if the device is on the list of supported models.
Are encrypted Android devices secure or not? Compared to a recent iPhone (such as the iPhone 7, 8 and X), an average Android smartphone would be inherently less secure. For many Android smartphones one can develop an exploit based on one or the other unpatchable vulnerability. Granted, the code may not exist, but it can be developed: the direction is clear, and all the right tools are there. On the other hand, imaging an iOS device always requires breaking the passcode first, which can be done by one of the two companies (Cellebrite and GrayShift) and is a subject to multiple “ifs” and “buts”04-13-19 06:13 PMLike 0 -
There are some interesting Youtube videos on the topic which demo how a desktop computer using multiple graphics cards can brute force alphanumeric passwords of 8 characters in minutes if not seconds using this method.
I'm not an expert on the topic, but I'm trying to learn.04-13-19 06:15 PMLike 0
- Forum
- Android BlackBerry Phones & OS
- BlackBerry Android OS
Android device password - Max 17 characters?
Similar Threads
-
Why can't I access Android apps on my PlayBook?
By CephasMwalaba in forum BlackBerry PlayBookReplies: 4Last Post: 04-18-19, 09:06 PM -
QNX operating on Android?
By yeo123 in forum BlackBerry ClassicReplies: 14Last Post: 04-14-19, 01:29 PM -
DTEK by BlackBerry is showing device status as poor.
By Srinivas Pachipula in forum Ask a QuestionReplies: 3Last Post: 04-12-19, 02:13 PM -
Skype Preview brings screen sharing to Android and iOS
By CrackBerry News in forum CrackBerry.com News Discussion & ContestsReplies: 0Last Post: 04-12-19, 01:51 PM -
Directly show password ?
By Blackberrydz in forum BlackBerry PrivReplies: 0Last Post: 04-12-19, 07:57 AM
LINK TO POST COPIED TO CLIPBOARD