Somebody commented to me the other day that a bank’s website wasn’t secure because of their poor password policies, and I’m sorry I gave that impression. I can’t speak to their security overall, because I don’t know their network topology and a hundred other things about how they’ve implemented their systems and how they’ve trained their personal.
Security always needs to be thought of holistically, and companies should absolutely be using a defence-in-depth strategy. The banks knows better than I do what other layers of security are involved, and are hopefully considering those when implementing their password policies.
For example, both BMO and TD (I don’t know about the others) will store a cookie on your machine when you log-in. The next time you log on if that cookie isn’t present then their websites will ask you an additional security question. This is supposed to prevent unauthorized access by a hacker on a different machine (except that the security questions are usually weak). BMO does a very nice job of this, specifically asking if you want to trust the new machine you’re logging in from. I think they could probably go father with this (for example, time-of-day analysis) but what they have is a nice 2nd layer of defence.
I also understand that companies need to simplify the security process and password policies as much as possible, both to give their customers a smooth website experience, and to lower call-centre support costs. There is always a balance to be found between cost, usability and security (and more subtle things like implementation complexity, long-term support and maintenance complexity, etc.).
No downsides to better password policies
However, strong password policies and password management (by both the customer and the company) are very important and can have a big impact on overall security, and users are becoming accustomed to stronger passwords because the rest of the internet seems to be demanding better passwords!
My belief is that at the very least allowing customers to have long passwords with special characters doesn’t make implementation or usability any more difficult. As more and more websites have password strength meters and also require upper-and lower case letters, numbers and special characters users are getting more used to these password requirements. NOT allowing them is strange. As for implementation, password hashing woks on bytes anyway, so allowing special characters is no extra work.
Similarly, as more and more users have phones and more and more websites enable (and encourage) two-factor authentication, users are becoming very familiar with these techniques.
Weak grandfathered passwords
All of the banks, and indeed many websites, suggest that user’s change their passwords on a regular basis. However, none of the websites that I have seen (except Microsoft Outlook.com) provide a way to remind you to change your password or force you to occasionally change your password.
What this means, is that even if the banks were to improve their password policies people would still have existing and very poor passwords. One person told me that their banking password was only four characters long! This password was created several years ago when the bank’s password policy allowed this, even though the password policy now requires at least six characters.
So regardless of the other layers of security a bank is using, here’s 4 steps that I think the Canadian banks should be doing regarding their password policies that would dramatically improve password security:
- Implement strong password policies, with a minimum password length of 12, a maximum of 100 (for password management tools), and special characters required;
- Requiring all older passwords to be changed so that they meet the new password policies as users log in;
- Disabling accounts with old passwords that have not been accessed in over 12 months, preventing a hacker from taking advantage of grandfathered week passwords;
- Provide two-factor authentication.
It’s unfortunate that the Canadian banks seem to be laggards regarding website password policies rather than leaders, but it wouldn’t be hard for them to improve.
PS. I’m going to have one more post about how you as an individual can have excellent passwords for all of your websites, and then I’ll stop writing about password security for while and return to examining some other topics of interest such as social engineering attacks and building WordPress websites. Sorry if I’ve been harping on this too much.
Let me know if you’d like to see any other topics.