Do you bank online? Your account may not be as secure as you’d like to think it is! The other day I was setting up my online account for my television cable provider and was asked to select a password. As I normally do I created a unique complex password for the site and stored it in a master database which is also password protected (by a different password of course!), my passwords are always complex and usually anywhere from 10 to 12 characters in length. I was frustrated when my cable provider rejected my 11 character password by notifying me that I was limited to a maximum of 8 characters and no special characters!
I have not found this uncommon either, I often find myself registering with websites that essentially force me into selecting a weak password. American Banks in particular have been under fire from security professionals for their current lack of strong security. A recent report by the OSCE which is of particular significance to U.S. banking customers reveals that “Bank network security, especially regarding log-on procedures, falls short of consumer expectations. Log-on protocols elsewhere utilize strong authentication. U.S. banks generally fail to meet that standard.” Read more about this on the E-Commerce News website, “Are Banks Short-Changing you on Security?“
Here are a few quick (and somewhat disturbing) facts about the current state of password security…
- 61% of passwords were either only lowercase letters or all digits (examples: iloveyou or 123456).
- 60% of web users only have one password that they use for all of their online accounts, including Facebook, PayPal, email, and banks, according to a recent study.
- An estimated 1 in 9 people use one of the Top 500 passwords posted on WhatsMyPass.com
A study by Trusteer Inc. a New York based online security vendor found that 73% of bank customers use their Internet banking password to access non-financial — and less secure — websites. While Forty-seven percent use both their online banking user ID and password on other websites.
Security Expert Bruce Schneier wrote an article about a British Bank (Lloyd’s) that rejected a man’s password because they felt it was “not appropriate”. The article though not directly applicable to what we are discussing today, does conclude by mentioning that at least that bank allowed more than four characters in their password. Albeit stopping the customer at six characters (which honestly, isn’t any more secure.) You can read all of Bruce’s article here.
How quickly can you be hacked?
Spend a few minutes at the Online Password Generator, and you can find out just how quickly your password could be hacked by brute force. A four character password no matter what special characters or numbers are used can be hacked in less than one second (if unlimited attempts were possible). Add two more simple characters and the time only increases to 53 seconds on a Intel® Core™2 Duo E4500. An eight character password utilizing numbers and letters will take about 19 hours, 19 minutes. Punch in a twelve character password that utilizes upper and lower case, numbers and special characters and it will take a whopping 377283354 years, 7 months to crack.
Not as Secure as the Bank would have you believe
In summary, online banking is simply not yet as secure as banks would like you to believe. Internet Criminals are aggressive and use many methods to steal information which include database hacks, brute force attacks and phishing scams. The majority of these attacks will be performed on social networking sites such as facebook or twitter where the stolen information can then be turned around and used on banks. If you are one of the 47% that uses the same information on a social networking site as you do at your bank, then consider yourself seriously warned. If on the other hand your bank allows complex passwords (like the one mentioned in the above paragraph), and has a secure (HTTPS) login, well then… bank online at your own risk!
Read more on password security as well as some interesting facts at the infocarnivore password archive.
8 comments
Tweets that mention Banks force weak passwords on members « Information Carnivore -- Topsy.com says:
Aug 17, 2010
[…] This post was mentioned on Twitter by Daniel Snyder, Daniel Snyder. Daniel Snyder said: Banks force weak passwords on members! http://bit.ly/aTSAR3 #onlinebanking #security […]
Friday Following and Twips! | Bloggers Journal says:
Aug 27, 2010
[…] Improve your Google RankingsSteve Scott – The Myth of Overnight SuccessDaniel Snyder – Big Banks Force Weak Security on MembersJames King – Why Blogging is About Community not CompetitionTwitter Tip – TWIP!The […]
Paul says:
Sep 9, 2010
I recently change my online banking password, but was astonished to find out that my new password was too long. I have also been to some web sites where they only allowed alphanumeric characters with a length restriction of about 10 characters. Security is not where it should be online.
It isn’t hard to create secure passwords as long as users are provided the ability to create long, secure passwords.
Daniel Snyder says:
Sep 10, 2010
Paul, thanks for your comment! I’m in agreement with you about online security, improvements need to be made – especially to North American banking systems.
CharlesCS says:
Sep 9, 2010
I use to use the same password for most of my logins before but as I read stories online about how all it would take was to get it once and I was done I have tried changing passwords and using more than 1 but to be honest I do use very complex passwords like the writer of this article does although I am strongly considering changing this habit soon as I noticed my bank had recently changed their login process to something more annoying, longer and down right a pain in the ass, then all of a sudden it went back to the previous log in system. I guess people must have complained about how terrible the new log in system was which to be honest made it very difficult to access the site even when you had all the necessary information.
Sometimes you just have to be reminded that you need to pay more attention to these kinds of issues in order to safeguard yourself. thanks for the article.
Daniel Snyder says:
Sep 10, 2010
Charles, thanks for commenting: I know a lot of banks realize they need to make changes,and want to implement them – but finding the right balance between being user friendly and being secure, is a challenge. In Europe you can get a card scanner that attaches to your computer – you have to scan your card in order to access your account online. Simple, fast, and secure!
TeleSign Matt says:
Sep 14, 2010
Timely and relevant analysis of the inherent risks associated with banking on line. Many financial institutions are moving toward two factor authentication as a means for deterring password compromise. I’ve been working with such a company, called TeleSign (http://www.TeleSign.com) and their solutions have been incorporated into the global banking sector.
Respectfully,
TeleSign Matt
Daniel Snyder says:
Sep 15, 2010
Thanks for the tip Matt!