UCF STIG Viewer Logo

When the Password Keeper is enabled on the BlackBerry device, the DAA must review and approve its use, and the application must be configured as required.


Overview

Finding ID Version Rule ID IA Controls Severity
V-11865 WIR1030-01 SV-12364r2_rule ECSC-1 Low
Description
Password Keeper is a default BlackBerry application provided by RIM that can be installed on the BlackBerry handheld device. This application allows users to store passwords. The use of Password Keeper should be reviewed and approved by the local DAA. Passwords are stored using 256-bit AES encryption using the BlackBerry FIPS 140-2 certified encryption module. Passwords in the Password Keeper can be copied and pasted into other applications but the password is unencrypted while it resides in the BlackBerry handheld device clipboard.
STIG Date
BlackBerry OS (version 5-7) Security Technical Implementation Guide 2014-06-11

Details

Check Text ( C-12372r2_chk )
Detailed Policy Requirements:

When the Password Keeper is enabled on the BlackBerry device, the DAA must have reviewed and approved its use, and the application must be configured to enforce the following password rules.

- Require use of eight or more characters. The Password Keeper must be configured to enforce this policy.

- Set the number of incorrect passwords entered before a device wipe occurs to 10 or less. The Password Keeper must be configured to enforce this policy.

- Set local policy to require a change of password at least every 90 days.

Check Requirements:

Interview the IAO.
Ask if users are allowed to use Password Keeper on their handheld devices.

If Password Keeper is used:

-Review the DAA approval documentation regarding this.

-Work with the IAO to view the Password Keeper configuration on a sampling of BlackBerry devices using this application. On each BlackBerry, go to Applications/Password Keeper. The Password Keeper icon may also be installed directly on the BlackBerry home screen. Verify the following Password Keeper setting (have user log into Password Keeper, then click menu and select Options).
- Verify Random Password Length is set to 8 or more.
- Verify Password Attempts is set to 10 or less.

-Verify users are trained on password change requirement (90 days or less) by reviewing user agreement or training materials.

If Password Keeper is not authorized:

-Review a sample of site BlackBerry devices (2-3 devices) to verify Password Keeper is not installed: Settings > Options > Advanced > Applications. Review the list of installed applications and confirm Password Keeper is not on the list.
Fix Text (F-23342r1_fix)
When the Password Keeper is enabled on the BlackBerry device, the DAA has reviewed and approved its use, and the application is configured as required.