Check: WIR1030-01
BlackBerry Handheld Device:
WIR1030-01
(in versions v2 r11 through v2 r8)
Title
When the Password Keeper is enabled on the BlackBerry device, the AO must review and approve its use, and the application must be configured as required. (Cat III impact)
Discussion
Password Keeper is a default BlackBerry application that can be installed on the BlackBerry handheld device. This application allows users to store passwords. The use of Password Keeper should be reviewed and approved by the local AO. Passwords are stored using 256-bit AES encryption using the BlackBerry FIPS 140-2 certified encryption module. Passwords in the Password Keeper can be copied and pasted into other applications but the password is unencrypted while it resides in the BlackBerry handheld device clipboard.
Check Content
Detailed Policy Requirements: When the Password Keeper is enabled on the BlackBerry device, the AO must have reviewed and approved its use, and the application must be configured to enforce the following password rules. Require use of eight or more characters. The Password Keeper must be configured to enforce this policy. Set the number of incorrect passwords entered before a device wipe occurs to 10 or less. The Password Keeper must be configured to enforce this policy. Set local policy to require a change of password at least every 90 days. Check Requirements: Interview the ISSO. Ask if users are allowed to use Password Keeper on their handheld devices. If Password Keeper is used: Review the AO approval documentation regarding this. Work with the ISSO to view the Password Keeper configuration on a sampling of BlackBerry devices using this application. On each BlackBerry, go to Applications/Password Keeper. The Password Keeper icon may also be installed directly on the BlackBerry home screen. Verify the following Password Keeper setting (have user log into Password Keeper, then click menu and select Options). Verify Random Password Length is set to 8 or more. Verify Password Attempts is set to 10 or less. Verify users are trained on password change requirement (90 days or less) by reviewing user agreement or training materials. If Password Keeper is not authorized: Review a sample of site BlackBerry devices (2-3 devices) to verify Password Keeper is not installed: Settings >> Options >> Advanced >> Applications. Review the list of installed applications and confirm Password Keeper is not on the list.
Fix Text
When the Password Keeper is enabled on the BlackBerry device, the AO has reviewed and approved its use, and the application is configured as required.
Additional Identifiers
Rule ID: SV-12364r3_rule
Vulnerability ID: V-11865
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |