Financial Institutions and Passwords

You would think that financial institutions would want individuals to choose really strong passwords that are difficult to guess.  But in at least one very big case, you would be wrong.  What makes a strong password?  Several things:

  • A lot of characters.  The more the merrier.  The only limitation on this is that you have to remember All of That.
  • A lot of randomness.  That is, words in a dictionary are bad, because attackers will often go through dictionaries to attempt to guess passwords.
  • Characters that are not letters or numbers.  This increases the search space, given a certain sized password.

Now let’s review the actual guidance given by a very popular broker:

Your new password must:

  • Include 6-8 characters AND numbers
  • Include at least one number BETWEEN the first and last characters
  • Contain no symbols (!,%,# etc.)
  • Cannot match or be a subset of your Login ID

Examples of valid passwords: kev6in, 2be111, wil1iam

In other words, they’re violating two very big rules.  The 6-8 character rule means that they are limiting the search space, and people cannot put together phrases, which are actually easier to remember than passwords.  Removal of symbols from the search space makes it easier for attackers to perform a dictionary attack.

This site is not alone.  Many sites have the same problem, and it is likely a problem with what their security professionals think is the industry standard.  Well it’s a bad standard.  Who takes on the risk?  In the brokerage world, the chances are that you are assuming at least some risk.

2 thoughts on “Financial Institutions and Passwords”

  1. My investment company has just changed their rules and made me change my password. It now MUST have at least one each of the following:
    – upper-case letters
    – lower-case letters
    – numbers
    – “special characters”

    It also has to be some number of characters… at least 8, and I forget what the maximum is, but it’s reasonable.

    At the same time, I also had to choose three from their list of “security questions”, all of which had to do with personal information that someone could easily find out. AND, the answers were NOT allowed to contain any “special characters”. (Huh? WTF not?)

    Ugh.

    So I picked questions that don’t apply to me (“What was the first name of the maid of honor at your wedding?” and “What is the first name of your oldest nephew?”), and gave bogus answers, which I have written down.

    Really, why aren’t we just using X.509 certificates for authentication, and making the password just serve for local access to the cert? Then we don’t have to worry about some third party snagging the password.

Leave a Reply

Your email address will not be published. Required fields are marked *