Third of US banks OK with passwords even social networks reject

Six of 17 major US banks have weaker password enforcement procedures than most social networking websites, according to a new study by an American university.

The banks ask users to set up passwords that include letters and special symbols, but a study by researchers at the University of New Haven shows that in around a third of cases these passwords may not be case sensitive. This means any combination of upper and lower case letters might work. Ignoring case sensitivity reduces the entropy of login credentials, making them less resistant to cracking as a result.

"We were very surprised when we learned that banks have fewer requirements for passwords than social media sites," said Walter Gordillo, '16 of Norwalk, Connecticut, a cyber systems major who took a lead on the University of New Haven Cyber Forensic Research and Education Group (UNHcFREG) project.

Banks with the issues include Wells Fargo (70 million customers), Capital One (50 million customers), BB&T, Webster First Federal Credit Union, Chase Bank (50 million customers), and Citibank (200 million customers).

El Reg contacted PR representatives of Wells Fargo, Capital One and Chase Bank as well as US banking organisations (Financial Services Information Sharing and Analysis Center (FS-ISAC) and Financial Services Roundtable (FSR)) for reaction to the study. We're yet to hear back, but will update this story as and when we hear more.

Frank Breitinger, UNH assistant professor and co-director of UNHcFREG, oversaw the study, which was carried out by UNH undergraduates in an introduction to computer security course. "Consumers believe that banks with several million customers should have strong security mechanisms in place to protect accounts, starting with password policies," Breitinger argued.

The research group attempted to contact the banks through their regular hotlines to inform them about what they had found and to ask for a statement in reaction to the findings of the research.

"It turned out that it is almost impossible to contact and notify them about a security issue," Breitinger said.

"Our findings raise an important question: why do social networking platforms and many others not related to personal and business finances adopt much stricter password policies?" Breitinger asked.

More details about the research can be found here.

Sweet 2FA

Per Thorsheim, an infosec researcher and founder of the PasswordsCon conference, said the findings of the research were "interesting, but not surprising."

"Based on what I know of US banks, I think that European banks are ahead of the US in this area [password security]," he told El Reg.

"Europe deploys advanced security technology, US does more financial risk analysis."

It would be wrong to regard social media profiles as thruway items that are therefore ill-deserving of rigorous password security policies, according to Thorsheim.

"Social media sites actually keep a lot more sensitive information about you than any bank will probably ever do. At the same time, people tend to consider their money more important than information, pictures & videos of themselves, family, friends and colleagues."

Password security is only one component of online safety. In particular, two-factor authentication (2FA) controls are used by many banks to safeguard against account takeover and fraud, Thorsheim added.

"Examining the password policy by itself is interesting, there's no mention of two-factor authentication such as software or hardware tokens or biometrics, fraud detection."

"I am sure that the affected banks have all done their financial and market risk analysis to justify their security, with perhaps the biggest consideration being 'if we [make] it harder to log in compared to our competition, we may lose customers'," Thorsheim concluded. ®