January 6, 2016

Share Everywhere

Attention Banks: A Weak Password Security Policy Can Put Your Customers at Risk

Top financial institutions lock down customer data with robust, multi-layer security that is completely impenetrable to hackers. At least, that’s the assumption many people might make. Unfortunately, the truth is sometimes very different.

In a recent study that looked at bank password strength, researchers found that 35 percent had significant weaknesses in their policies. Conducted by the University of New Haven Cyber Forensic Research and Education Group, the study focused only on very large banks, which makes the finding even more of a concern.

Some of those singled out as lacking in password security were Wells Fargo, Capital One, Chase Bank and Citibank. In total, researchers estimated that these password issues impact about 350 million customers.

Big Banks, Big Problems

Commenting on the study, security research firm Kaspersky Lab noted that all of the banks with less robust password security measures had website policies that don’t differentiate between upper- and lower-case letters. That weakens security levels for users.

One of the researchers added that hackers can guess a case-insensitive password in as little as eight hours. But if a password is case sensitive, it takes about 26 days for an attacker to crack it, and even then, very high-tech computer power is necessary.

As a point of comparison, social media sites all tend to use case-sensitive password policies, researchers stated. That means Facebook and Twitter may have stronger password security than banks.

Password Protection

  • So how can banks and their customers help mitigate the risk of a security breach and protecting customer data? Outside security discussions happening internally within financial institutions among c-level management, there are password management steps that can be shared with customers to help spark protection: Don’t choose easy or obvious passwords.Every year, the “worst passwords list” tends to have many of the same combinations, such as “123456” or “password.”
  • Consider a password manager.These simple applications store all your passwords, so it’s easier to change them frequently and make them stronger, without having to remember multiple combinations.
  • Use a mix of numbers, letters and symbols.There’s a major difference between a password like “catlover” and “Ca7&L0v3r”—the first is easy for a hacker to crack, and the second is much more difficult.
  • Don’t make it personal.To make passwords easy to remember, many people use the names of their children, pets, hometowns and other identifying information. Not only can these details be picked up by monitoring your social media posts, but they may also put you at risk of identity theft since an attacker would have more data about you to use.

Help your customers stay vigilant about protecting their information. Share best practices, like those listed above, to help them put strong password controls in place.

Image courtesy of Flickr user Automobile Italia.

David Rabinovitz

Identity Protection Consultant at IdentityForce
David is aligned closely with c-level principals and provides them with coaching services focused on strategy, finance, ownership, deal structuring, and shareholder relationships, which led him to join one of his high-growth clients as their CFO. As a high-energy executive with a wealth of experience, David is a versatile corporate “fireman” who skills are often sought after to assess and resolve complex business challenges, as he brings critical insight for business leaders in transition.He is also a long-standing Special Crew Volunteer for Pan-Mass Challenge, an annual cycling fundraiser that strives to provide Dana-Farber's doctors and researchers the necessary resources to discover cures for all types of cancer.