Canadian banking password policies

I have gathered the password policies for most of the major Canadian banks.  Here are the password policies:

Bank Minimum length Maximum length Allows special characters Notes
BMO 6 6 No All passwords must be 6 digits in length!  Your web password is also used as your phone banking password?!
TD Canada Trust 5 8 No
CIBC 6 12 No No suggestions or tips, and no indications whatsoever about allowed characters; but trying to use special characters gives you an error.
PC Financial (CIBC managed) 6 12 Unknown No suggestions or tips, and no indications whatsoever about allowed characters.
Scotiabank 8 16 No Must use at least 1 number and one letter
RBC Royal Bank 8 32 Yes! Encourages special characters, and has a two-step process for choosing a decent password

Here are the screen-shots of the various banking website’s security related pages:

Apparently nobody I know uses CIBC, but we were able to get PC Banking, which is managed by CIBC.    Update 2013-04-12: I was able to get a hold of the CIBC password policies!  It doesn’t say on the screen but special characters are not allowed, and trying to use them generates an error message.  I also received the BMO password page, but it really deserves its own blog post…

RBC is the clear winner here in terms of password security, encouraging special characters and supporting 32 characters.  TD’s maximum allowed password length is Scotiabank’s and RBC’s minimum password length, and BMO doesn’t even let you have a password that long; considering that neither TD nor BMO have support for special characters these two clearly have the least secure password policies of these banks.

Security questions

In addition to passwords, several of the banks support “security” questions, such as TD’s “What is your favourite chocolate bar”, while Scotiabank supports a 5 – 8 digit “Access code” that is required to perform certain operations.

Unfortunately, security questions really aren’t that secure.  In fact, there’s an entire website devoted to this:

This and other websites recommend that the answer to a good security question has all four of the following characteristics:

  1. It must be safe, so that hackers cannot easily guess or research the answer to the question;
  2. The answer must stable, and not change over time (so the favourite whatever category of questions are not very good);
  3. Obviously the answer must be memorable so the user doesn’t forget it
  4. The answer must be simple.

Finding questions with these kinds of answers is very difficult.  From the website:
[quote style=”1″]Security questions create a potential hole or breach in security by providing ways for unauthorized users to gain access if the answer can be discovered.[/quote]

In today’s age of social media, discovering the answers to such questions is often far easier than you might think. People are posting unending streams of information about themselves on Twitter, Facebook, and Pinterest.  If that doesn’t help a hacker, the under-web also makes it easy and cheap to purchase a person’s credit report:

[quote style=”1″]the hackers had considerable amounts of information about the victims, including social-security numbers and other personally identifying information.[/quote]

For this reason security questions are really not that great for protecting security.  This is not a new revelation; on June 17, 2005, the U.S. Federal Deposit Insurance Corporation (FDIC) published supplementary guidelines indicating that challenge questions are not compliant with US regulations!

In 2009 this allowed a woman to sue her bank for lax security after she had $26,000 stolen from her account by a hacker, because the bank only used a password and security question!

So what’s the solution?

Two-factor authentication

Two-factor authentication provides a much stronger form of authentication.  Two-factor authentication requires two of the following three:

  1. Something the user knows – a password or security question / answer
  2. Something the user has – such as a security key-fob or a cell-phone
  3. Or something the user is, such as a finger-print

Both a password and the answer to a security question are something the user knows, and therefore this authentication pair are not actually two-factor authentication.  Getting a user’s finger-print over the internet is obviously not going to happen any time soon.

What are other companies doing?

GMail, Yahoo and Outlook allow you to use your cell-phone as a second factor authentication device.  For example, every time I log onto my Google account, Google sends a text message containing a secret code to my cell phone.  I enter that code into the website and only then am I allowed to log in.  If you don’t have a text-capable device Google even has an automated system that can call a traditional voice-only land-line and speak the code to you.  This is just to protect your e-mail, Google Analytics or AdWords account!


There are at least three plug-ins for WordPress that can give your WordPress small-business website or blog two-factor authentication:

  • Authy – Like Google, each time you need to log-in to your website Authy will send your phone a text message with a unique secret code.  You must enter this code into the website before you can completely log-in.  The secret code changes every 20 seconds, and each code can only be used once.  Very nice.  CloudFlare uses Authy to protect CloudFlare users as well.
  • Duo – Similar to Authy, after you login to your WordPress website Duo will require you to enter a secret code.  Duo will send your phone a text-message containing 6 different codes, although you only enter one code each time you login.  This means that one text message is good for six different log-ins, reducing the total number of text messages Duo has to send and you have pay to receive.  (Unfortunately, there seems to be a bug in the plug-in, because shortly after I installed it, a number of core WordPress files got corrupted!)
  • Google Authenticator – Enables you to use Google’s two-factor authentication on your own website.  I haven’t used this plug-in myself.

So it’s very easy to protect your WordPress small-business website or blog with two-factor authentication.


Ezio Time-based 6-Digit Token for use with Amazon Web ServicesAmazon web services can also be protected with two-factor authentication.  They support any any TOTP compliant app on your computer, smart phone, or tablet.  Like the other methods discussed above, TOTP is a secure and standardized way of generating unique one-time keys every 30 seconds.  This allows you to use any device with a TOTP app to generate a unique secret code, and then type in the code to Amazon when logging in.  Only your device and Amazon will know the code any given second.  Alternatively you can buy a $13 key that will generate a unique code every 30 seconds and basically works the same way.


So we’ve seen that (with the exception of RBC) the Canadian banks have very poor password policies.  Furthermore, all of the Canadian banks are all using one-factor authentication, which  is not compliant with US regulations at least.  We’ve seen that major e-mail providers and Amazon provide powerful two-factor authentication to protect your e-mail and your web services, and you can even protect your blog or small-business website with cheap two-factor authentication.

While there do not seem to be any Canadian banking regulations regarding online banking website security, I nevertheless wonder how willing Canadian courts would be at looking to other Canadian industries, and looking to the US banks for inspiration if somebody lost money due to a hack at a Canadian bank.

Personally, my online web bank account is linked to my small business account, my RRSPs, my kids RESPs, and my mortgage!  That’s pretty much my entire life savings right there.  I for one would happily pay say a $1/month service fee to be able to protect my bank account with two-factor authentication.  And I would REALLY like to have a decent sized password with some special characters in it!!

It’s 2013.  I think the Canadian banks need to step up their game and support 2013 style authentication mechanisms; 8 character maximum passwords just don’t cut it any more.


Leave a Reply

Your email address will not be published. Required fields are marked *