BYOD Password Policies – First Level of Defense

14 04 2012

A  ThreatPost tweet (Donohue, 2012) and coverage on NBC’s Today Show (How safe is your smartphone’s data?, 2012) provided broad visibility to a recent study sponsored by Symantec and Sprint called The Symantec Smartphone Honey Stick Project. (Haley, 2012)  In late 2011, the experiment was conducted by placing fifty smartphones in five large cities in places where the phones would have appeared to have been misplaced by their owners in an effort to identify what would happen with the phones when found.  Phony personal and corporate applications were loaded on the phones along with software that tracked the access to these applications and GPS location of the phones.  No passwords or any other security features had been enabled on any of the fifty phones.  The project’s results showed that 83% of the phones’ finders accessed the phony corporate data.   The fake corporate email application was accessed on 45% of the phones while the corporate data planted on the phones was accessed on 53% of the devices.  ([OPERATION HONEY STICK] Where’s Your Smartphone?, 2012)

The experiment summary document includes several recommendations for both corporations and consumers to better protect the data that resides on smartphones.   One recommendation specifically targeted the password policies established by corporations for these devices.  “Organizations should develop and enforce strong security policies for employees using mobile devices for work; this includes requiring password-enabled screen locks. Mobile device management and mobile security software can aid in this area.” (Wright, 2012)  This experiment commissioned by Symantec reinforces the need for corporations creating policy statements to integrate BYOD (Bring Your Own Device) into their operating models to ensure that strong password policies be established for employee-owned smartphones that have access to corporate data.

Good Technology (Bring Your Own Device Individual Liable User Policy Considerations, 2012) recommends establishing password and device locking policies for employee-owned devices that are similar to those established for company-owned PCs:

  1. Policy should state the requirement of a password for the device.
  2. Policy should specify the required length of the password to be 6 characters.
  3. Policy should specify that the password include at least one letter or number where the device supports alphanumeric passwords.
  4. Policy should state the frequency required for password changes to be every 90 days.
  5. Policy should state the number of passwords retained in password history is four.
  6. Policy should state that after 30 minutes of inactivity, the device will be locked requiring the password to unlock.
  7. Policy should state that after 10 invalid logins, the device locks the account.

Andrew Jaquith, Chief Technology Officer of Perimeter E-Security, has a more practical approach toward setting password and device locking polices for mobile devices aimed at balancing a strong, secure password selection with device usability. (Jaquith, 2011)

  1. Policy should state the requirement of a password for the device.
  2. Policy should state the requirement of an  8-digit numeric PIN (not allowing the use of simple PINs)
  3. Policy should state that the device will lock after 15 minutes of inactivity (with a 2 minute grace period)
  4. Policy should state that the device will automatically be wiped or permanently locked after 8 invalid login attempts.

(No policy exists specifying the frequency of PIN changes or requirement to maintain password history.)

In a recent Forbes article (Gupta, 2012), PJ Gupta sites that one of the common BYOD policy mistakes is “Leaving Passwords Up to the Users”, as users will not consistently implement password protection on mobile devices unless required.   He instead sees the need for IT departments to establish BYOD policies that require passwords on all devices with appropriate levels of complexity standards set for these passwords.

Of all the policies required for the integration of BYOD into a corporation, password policies represent only a subset of those that are required.  But as shown by Symantec’s Honey Stick Project, password and device locking policies can provide the first level of defense in the protection of corporate data on mobile assets.

NOTE:  Symantec is in the process of building its capabilities to manage mobile devices across the enterprise with its recent purchases of two companies, Odyssey Software and Nukona.  Odyssey Software provides Management Device Management (MDM) services while Nukona provides Management Application Management (MAM) services. (Symantec Corporation, 2012)  The recent results of the study encourage the consideration of their new product offerings.


[OPERATION HONEY STICK] Where’s Your Smartphone? (2012). Retrieved from

Bring Your Own Device Individual Liable User Policy Considerations. (2012). Retrieved from

How safe is your smartphone’s data? (2012, March 8). Retrieved from

Donohue, B. (2012, April 4). Symantec Experiment: Half Of Those Who Find Smartphones Don’t Return Them. Retrieved from

Gupta, P. (2012, February 27). Developing a BYOD Strategy: The 5 Mistakes To Avoid. Retrieved from

Haley, K. (2012, March 9). Introducing the Symantec Smartphone Honey Stick Project. Retrieved from

Jaquith, A. (2011, March 7). Picking a Sensible Mobile Password Policy. Retrieved from

Symantec Corporation. (2012). Symantec Advances Enterprise Mobility with Odyssey Software and Nukona. Retrieved from

Wright, S. (2012). The Symantec Smartphone Honey Stick Project. Retrieved from




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: