Can I get some real examples of how banks are deploying passwords on their Blackberry devices? For example, how many characters, how often to change, timeout. I have read all the best practices, but what are people really doing? I am getting resistance from Management and would like support of what is being done in the real world. If you could tell me the size of your bank in your reply also, that would help.

This is one area where I wouldn't rely on what others are doing. Stick with the best practices. Mobile devices are probably the "highest" risk devices if they contain any confidential information.

6 characters, every 90 days; size of bank is a little over $2 trillion

Do you wipe the device upon termination of an employee? And who owns the devices...the company or the employee? Are you aware of any HR or legal issues surrounding wiping the device if the employee owns the device?

We are a large institution and do not allow employee devices except on a rare exception basis - only corporate owned devices for work e-mail. Passwords must be 7 characters, 1 must not be a letter, and it must be changed every 30 days. If you forget your password, you have 9 attempts to get it right; if you are unsuccessful, the device self destructs. (No 1 supposedly has the password except the user.) Seriously -- it wipes itself and you have to start all over with it through IT like it is a new device and you are a new user -- all of your settings and information are gone. It also automatically goes to the password screen every 30 minutes, regardless of whether you are in the middle of typing an e-mail.

It is sort of frustrating, but understandable.

I think there might be issues surrounding wiping if the device is owned by the employee. I would suggest you set up a contract at the outset requiring such a wipe if they are allowed to use their own device. Practicly speaking, I am not sure what leverage you would have to enforce that in a timely manner however.

ditto with hobot; no employee owned devices

we just went through a bit of cost cutting and the replacement blackberrys have no phone service, email and internet only

It's all fine and dandy to require as a matter of policy strong passwords that need to be reset periodically- but, unlike a computer workstation, we can't find any way to have the Blackerry enforce these rules. In other words, you can require it, but it doesn't mean it will be done.