Financial Institutions and Passwords

You would think that financial institutions would want individuals to choose really strong passwords that are difficult to guess.  But in at least one very big case, you would be wrong.  What makes a strong password?  Several things:

  • A lot of characters.  The more the merrier.  The only limitation on this is that you have to remember All of That.
  • A lot of randomness.  That is, words in a dictionary are bad, because attackers will often go through dictionaries to attempt to guess passwords.
  • Characters that are not letters or numbers.  This increases the search space, given a certain sized password.

Now let’s review the actual guidance given by a very popular broker:

Your new password must:

  • Include 6-8 characters AND numbers
  • Include at least one number BETWEEN the first and last characters
  • Contain no symbols (!,%,# etc.)
  • Cannot match or be a subset of your Login ID

Examples of valid passwords: kev6in, 2be111, wil1iam

In other words, they’re violating two very big rules.  The 6-8 character rule means that they are limiting the search space, and people cannot put together phrases, which are actually easier to remember than passwords.  Removal of symbols from the search space makes it easier for attackers to perform a dictionary attack.

This site is not alone.  Many sites have the same problem, and it is likely a problem with what their security professionals think is the industry standard.  Well it’s a bad standard.  Who takes on the risk?  In the brokerage world, the chances are that you are assuming at least some risk.

[del.icio.us] [Digg] [Facebook] [Reddit] [Twitter]