back to article Third of US banks OK with passwords even social networks reject

Six of 17 major US banks have weaker password enforcement procedures than most social networking websites, according to a new study by an American university. The banks ask users to set up passwords that include letters and special symbols, but a study by researchers at the University of New Haven shows that in around a third …

  1. Pascal Monett Silver badge

    "why do social networking platforms [..] adopt much stricter password policies?"

    Simple.

    You have insurance for your money.

    There is no insurance for your reputation.

    People will not care so much for the safety of their bank account since they can have a discussion with their banker face-to-face, prove their ownership and innocence, and get things set straight.

    Try doing that with a Facebook representative when your account has been hijacked (don't know if that has ever happened).

    1. Mark 85 Silver badge

      Re: "why do social networking platforms [..] adopt much stricter password policies?"

      I've heard from friends who use FB that hijacking is common and FB doesn't really persue things. So... meh on them.

      1. James O'Shea Silver badge

        Re: "why do social networking platforms [..] adopt much stricter password policies?"

        "I've heard from friends who use FB that hijacking is common and FB doesn't really persue things. So... meh on them."

        Facebook 'hijacking' is trivially easy. For reasons best known to FB, <identity redacted> known to be because of <identifying feature redacted> once had some twit drop FB message traffic onto his/her/its gmail account. This was despite <redacted> not having a FB account, but having a Gmail account one digit off of the FB twit's account. Appeals to the FB twit to stop having his allegedly private messages appear on <redacted> Gmail went unanswered. Appeals to FB admin to do something about their user when unanswered. What resolved the matter was when <redacted> used the fact that the FB account was effectively identical to <redacted> account, and to go onto FB and try to delete the account. After the second time this was done the FB twit got the message and the messages stopped showing up in Gmail. It was trivial to get complete control of the FB account. Security? They've heard of it.

  2. Chigaimasmaro

    When CapitalOne acquired IngDirect

    I remember when that acquisition took place between CapitalOne and IngDirect, the first thing CapitalOne did was remove security features that IngDirect had in favor of ONLY needing a password to log in. So, I know CapitalOne doesn't really care about security.

    1. Anonymous Coward
      Anonymous Coward

      Re: When CapitalOne acquired IngDirect

      That's not exactly true. I get that you skipped right over the bit that's false because the researchers on this article did too. In order to get access the password PLUS the account number. On social media, people already KNOW your account name, so the password becomes a single point of failure.

      Also, I'm not 100% sure it's ONLY the password. They may also have a challenge question if you've logged in from a machine that doesn't have a cookie identifying you. I normally only access my accounts from home, so I'm normally willing to tell it to use a cookie to remember me. Since I normally access that account on a regular basis the cookie never expires. I have an account at another bank that I don't access as frequently and I sometimes have to answer the security questions. Which is a real bitch because I only remember the stored answer to one of them.

      1. Dan Wilkie

        Re: When CapitalOne acquired IngDirect

        My account username on Facebook is an email address that bears no relationship to my name at all and is used only for my FB account. So the logic doesn't really follow. Hell someone could swipe my wallet and use my account number straight from my Debit card but they'd have a hard time guessing the email address.

        That said, my bank has mandatory 2FA.

      2. Anonymous Coward
        Anonymous Coward

        Re: When CapitalOne acquired IngDirect

        But I have a CapitalOne CC and a CapitalOne 360 account, I also have FireFox clear my entire history (with cookies, all offline content and caches) after quitting. Neither websites asks for anything more than a username and password. I was asked to setup challenge / response questions a couple months ago, but I see them on the mobile app and not the main websites. Thats why I never check my CapitalOne info from any other place other than my home machine that I know I can wipe the cache and temp files.

  3. Anonymous Coward
    Anonymous Coward

    Don't know about my bank... but

    My Natural Gas provider only allows up to 10 characters. Only Numbers and Letters at that.

    No Special Characters at all.

    1. Gerhard Mack

      Re: Don't know about my bank... but

      The Bank of Montreal (Canada) supports max 5 char passwords consisting of letters and numbers only.

      1. lbcfan

        Re: Don't know about my bank... but

        Funny, my BMO account has a 10 digit password. Wonder what universe I live in.

        1. Gerhard Mack

          Re: Don't know about my bank... but

          I typoed.. it is a 6 char password and I just went back into the site to confirm I'm not crazy. The password field on bmo.com's "everyday banking" won't go past 6 chars.

  4. tekHedd

    Max of 8 characters -- finally extended?

    My credit union (PSCU) recently extended the password length, which was limited to 8 characters. They extended it to 15.

    Aside from security considerations, they're a great credit union. Hmm. That's hardly a glowing endorsement of one's financial institution, is it?

  5. hellwig Silver badge

    When did Wells Fargo Last Update

    In 2000 I signed up for Wells Fargo online, after they bought my old bank. They had me create my password via phone (oh, 2000, such a simpler time). That meant my password: "password" was entered as 72779673. So any letter/number combination that translated to 72779673 would have been able to log in as me.

    As some point I eventually changed my password via the online mechanism, which I assumed was a little strong, but apparently, not much so.

  6. Anonymous Coward
    Anonymous Coward

    Overly complex requirements can be detrimental too

    I have a number of complex passwords that I use for various things, but none of mine met the requirements of one company. This forced me to think of something new and utterly unmemorable. So of course I would need to write it down. To make the point I printed my password out on A3 sheets and stuck it to the office wall, knowing that the company's FAE visited us weekly and would see it, and hopefully take the hint that their requirements were actually lowering their security.

    1. Anonymous Coward
      Anonymous Coward

      Re: Overly complex requirements can be detrimental too

      Why would you think they'd listen to their lowly FAE, even if he figured it out and reported it?

  7. Old Handle

    I wonder if banks more apt to code their own security system while social media sites use off-the-shelf solutions or at least design something more or less industry standard.

    1. Tom 13

      Re: I wonder if banks more apt to code their own security system

      Same as elsewhere, the larger the bank the more likely they are to be rolling their own. I know my credit union farms theirs out. They're too small to do it on their own and at one point the people at the bank couldn't reset your password if you got locked out or forgot it.

      Also, there's no way FarceBook or Twatter are using COTS for their websites. It simply wouldn't handle the volume.

  8. Anonymous Coward
    Anonymous Coward

    just a guess

    Banks want their paying customers (even the old geezers) to be able to conveniently use their website, even if their security isn't very secure.

    Social media sites don't give a shit. If you want to be cool and trendy and be seen by your "friends", you'll do it the way they want you to and you'll like it.

    yes, I'm cynical.

  9. FelixReg

    Are special characters and upper case a good idea

    Or is it better just to add another character to your password?

    It might be interesting to test this. Have a site that forces 1/3rd of the users to jump through the special-case-sensitive-character hoop, 1/3rd of the users to enter what they want, and force 1/3rd of the users to enter 1 or 2 more characters than whatever the middle third are required to enter. Then look at the passwords chosen by each group. Which are more crackable? By a machine.

    1. a_yank_lurker Silver badge

      Re: Are special characters and upper case a good idea

      On a US keyboard letters and numbers only allow 62 possible characters per position. If all the special characters are allowed you get 92 possible characters. The question becomes when does 92^n > 62^n+1 and is n a relatively small number; haven't done the math.

      1. Paul Kinsler

        Re: when does 92^n > 62^n+1 ?

        if n>0.

        Did you mean 92^n > 62^(n+1) ?

        1. Paul Kinsler

          Re: when does 92^n > 62^(n+1) ?

          n log(92) > (n+1) log(62)

          n (log(92)-log(62)) > log(62)

          n > log(62) / (log(92)-log(62))

          n >= 11 (for integer n)

          1. Tom 13

            @Paul Kinsler

            Up vote for doing the maths.

            Still there is a problem in that the maths are only a minor input into the real problem. We all know the most standard rule for passwords these days: x character or more long, at least one each of upper, lower, number, special character. The problem is people. They want something they can remember, which usually reduces it to dictionary words with numbers and specials tossed in or morphed into l33t spe@k. So you're now at significantly less than 92^n instances you need to check. Then we get to the really interesting thing they found in a recent study. Given that rule, most people select EXACTLY one upper, lower, and special. And that drastically reduces the size of dictionary hackers use for their attacks.

            As the guy creating most of our email accounts I've gotten use to creating complex passwords from simple phrases (eg: B1t!nGtH3H@nDtHaTfE3d$; our email system doesn't allow dictionary words of 4 or more characters). And I have to say the most annoying websites are the ones that cut down your list of special characters and limit your word length. For the life of me I can't set one for our conferencing system and I can't memorize the ones they generate for you.

    2. Cuddles Silver badge

      Re: Are special characters and upper case a good idea

      "Or is it better just to add another character to your password?"

      Or more importantly - is it better just to add an arbitrary number of characters to your password? The biggest problem with rules for passwords is restricting the length, often to as few as 8 characters (and PINs, which are just passwords by another name, are usually just 4). There are arguments about how strong XKCD's "correct horse battery stable" scheme is, but the arguments against it all rest on the length being short - if you know a password is made of 4 words, you can target an attack based on that knowledge. But what if a password might be 20 words long or more, and you have no idea what that length actually is? A brute force dictionary-based attack on such a password is much, much harder than a character-based attack on a password with 20 characters no matter how many special characters you allow, since there are far more than just 96 words in any language.

      And as is always pointed out, people are really good at remembering words. That's the whole problem - people choose passwords they can actually remember. We routinely remember the lyrics to hundreds of songs, can quote from hundreds of films and books, memorise long poems, plays and speeches, and so on. Using just a few random words might not make a more secure password, but why limit it to that? Allow arbitrary length passwords, enforce a minimum length (20 characters or so), enforce only lower case letters (so there are no problems remembering capitalisation and punctuation), and everything would be far more secure and far easier to remember.

  10. Anonymous Coward
    Anonymous Coward

    2FA Today!

    This from the BBC today shows yet another way to pawn 2FA, slick, powerful, simple...

    http://www.bbc.co.uk/news/business-35716872

  11. GBE

    What's a "thruway item"?

    The article uses the phrase "thruway item". For the benefit of us left-of-pond types, can somebody explain what that means?

    1. Doctor Syntax Silver badge

      Re: What's a "thruway item"?

      It means someone wasn't using the spill chucker.

  12. Anonymous Coward
    Anonymous Coward

    READ-ONLY Bank-Account?

    *-- Some banks still use national ID numbers as usernames! Others use case insensitive challenge questions that can be pwned via Facebook. Knowing this...

    *-- How many banks offer 'Outside Transfers' that permit external accounts to be set-up in 2-mins using the same session? Some require 2FA, but that can be pwned thanks to 'IoT class' phone security!

    *-- External transfers aren't needed by everyone, so shouldn't this require a burdensome paper-trail process, or in-branch face-to-face time to set up....?

    * -- When travelling how about read-only account access? Or visibility restricted to one account for credit card monitoring etc. To pay utilities, how about a cap that limits a/c number changes and caps outgoing payments to 50-100 USD a month....

    *-- Then if accounts are hacked / hijacked, it will mostly be read-only, mostly leak basic info only, and have a damage limiter...

    *-- But this is not what the banks want! They want 'feature rich' online-banking, so that they can sh1tcan more branches, downsize more offices!

    1. Tom 13

      Re: READ-ONLY Bank-Account?

      Anyone who thinks outgoing payments from a bank can be capped at $50-100/month is too stupid to be allowed near source code. Not even sure they qualify as sufficiently intelligent to be a PHB.

      1. Anonymous Coward
        Anonymous Coward

        'too stupid to be allowed near source code'

        So smug you miss the point! Step away from the keyboard for a moment!

        Who said anything about the cap being set in source code? After all, this isn't the year 2000!

        Its not locked in source, its just locked to hackers! The cap has to be set in-branch (in-person) or using a system that can't simply be pwned by exploiting weak points in A. the online banking session, B. weak support staff, C. weak telephone password reset systems. (The kind of thing that was used by hackers to hijack the email accounts of NSA / CIA security staff in USA in 2015 etc...)

  13. Anonymous Coward
    Anonymous Coward

    Not worth much

    I used to work for a bank where 20 years ago we rolled out two factor login for our high net worth clients.The clients hated it. Our client reps hated us for it. In about a year we had disabled it for the 90% plus clients who didn't want the extra hassle. And we, or most importantly our clients suffered very few losses as a result..... in fact there were none for at least the next decade. Simpler times, and hopefully it's back now.

    Two factor auth is a hassle but it works. In comparison password complexity really doesn't mater hugely in the scheme of things. It doesn't help if the attack is a keyboard logger, or if the password is reused by the client on other sites that store it unhashed. Even if it is hashed experience shows password complexity is normally interpreted as having the first letter capitalised and the digit "one" appended so is pretty easy to brute force. What it does best is make the client forget their password, and have it reset by giving their favourite colour or first pets name and getting a reset link mailed to them via insecure email.

    1. Nate Amsden Silver badge

      Re: Not worth much

      I bet 2 factor was a bitch 20 years ago.

      After using duo security for the past 18 months... if I am to use 2 factor I want it to be that or nothing.

      Every other system seems like an archaic piece of shit by comparison.

  14. Anonymous Coward
    Anonymous Coward

    Whose actually winning the Data Wars...

    Or put another way, whose helping us lose...

    Politicians and regulators are too dumb / too slow to enact change. Corporations and banks are too greedy or obsessed with the bottom line. The media is too drunk on IoT...... Its a field day for cyber-crims right now!

    Last month HSBC announced biometric... The problem with that is its been given all the forethought of IoT security!!... Passwords can be reset, but biometric info can't be put back in the bottle. So why doesn’t the mass media warn of the consumer risks and mention the dangers of biometric data being leaked into the wild.... Nope, all the media had to say that day was how everyone hates passwords...

    But this is irrelevant. Passwords are a necessary evil right now, everyone knows this! Besides, even when users are careful, which we know they never are, the JP-Morgan hack from a couple of years ago, proves that any database can get hit, no matter how many layers of protection it hides behind.

    So what happens when all that juicy biometric info leaks online, which it will... What will the media have to say on that day...???

    For me the worst offender in this weak-security / hacking / data leaking / IoT crisis, has been the media itself! Apart from the Reg and a handful of others, the media is selling is out as suckers!

  15. Will Godfrey Silver badge
    Meh

    Hmm.

    One thing that always annoys me is the sites that insist on at least one digit. By doing so they actually reduce the security. Every type-able character should be allowed, but none should be compulsory.

    1. stretch611

      Re: Hmm.

      Requiring at least one digit does not weaken a password. It does strengthen it as long as you can put the digit anywhere.

      If you have an 8 character password and can only use lowercase letters there are 209 billion possibilities ( 26^8, or 26*26*26*26*26*26*26*26 )

      Using upper or lowercase increases that to 53 trillion possibilities (52^8)

      Adding 10 possible digits brings it to 218 trillion possibilities. (62^8)

      The possibilities increase exponentially as long as the digit can be anywhere and you can add as many as you want.

  16. Colin Tree

    don't care

    It's cheaper for banks to pay for thefts than to implement real security.

    They have real security on their own money, but don't really care about yours.

  17. Graham Marsden
    Thumb Down

    Bank passwords

    One online bank I use simply requires you to input a 5 digit code to access your account. Another is slightly more secure asking for eg characters 1, 3 and 5 from a memorable word.

    Not the most secure ever...

  18. Barry Rueger Silver badge

    Accept? How about demand?

    My Canadian bank still has passwords that are not case sensitive and does not allow "special" characters.

    When I last complained, three years ago, they argued, with a straight face, that allowing these would confuse customers.

    And yes, the challenge question when you phone them is still my mother's "maiden" name.

    1. Steven Roper

      Re: Accept? How about demand?

      "And yes, the challenge question when you phone them is still my mother's "maiden" name."

      With my bank the question is my date of birth. I don't know which is worse as a "security" question, but those are the two most common ones!

    2. Tom 13

      Re: them is still my mother's "maiden"

      Maybe you Canucks are a bit more lax than the US with birth certificates, but mother's maiden name is actually still fairly difficult to find. Even knowing where my mother was married I can't find the newspaper announcement on the internet. Too much flack in the way. Oddly enough, I've never thought of it as similar to "Smith" in terms of providing anonymity but apparently some of our cousins across the pond do a very, very good job of protecting me.

  19. Nate Amsden Silver badge

    my bank pw

    Was the last 4 digits of my SSN for more than a decade(the default password they assigned at the time mid 90s).

    It is one of the banks listed.

    AFAIK none of my accounts ever been compromised on any site. I have unique passwords and email addresses for each site(and i run my own email server). All stored in ultra secure QUADRUPLE ROT13 encoded text files. Web browser runs as a more limited user account on my linux mint systems.

  20. Kevin Johnston

    A certain bank in Ireland

    wanted a password between 6 and 8 characters but they had to be lower case letters. If you mistakenly used other characters it would accept it so long as both copies matched but it would fail when you tried to use it to log in.

  21. mike acker

    Passwords work

    Passwords work

    just ask the FBI : why can't they crack that iPhone ? can't even get past a 6 digit passcode?

    not if it's administered properly

    biometrics are just a scheme to eliminate anonymity -- and -- they suffer from the disastrous problem: once compromised you can't change them .

  22. Anonymous Coward
    Anonymous Coward

    Another Poor Password Bank/Brokerage

    You can add Charles Schwab to the list. I transferred my brokerage accounts to another vendor last year because they didn't recognize upper/lower case. I have a small, local bank with 2 branches that has better security. Sheesh.

  23. Crisp Silver badge

    Why am I stuck using a 10 character password in 2016 for most sites?

    I should be able to have a password as long as this post if it is required, and must contain letters.

  24. Anonymous Coward
    Anonymous Coward

    Why would they give a S%&T

    Its simple !! The banks just DON'T CARE!!

    As long as they have transferred the responsibility to the customer and they can argue "they are not liable" why should they care, your the one swallowing the cost of a fraud, not them.

    Every time your Bank phones you and you challenge their identity they fail authentication, the most basic security check. But they expect nay demand you provide answers to their "security question" to an unauthenticated calling source. TOTAL FAIL.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019