Weak Bank Password Policies Leave 350 Million Vulnerable, Say Researchers

Researchers claim major banks are implementing poor password policies and leaving customers vulnerable to brute force “key-search” attacks.

Should passwords that protect your financial data be less secure than the ones used to lock up selfies, cat videos and tweets swapped on social networks?

In a study that looked at the password strength required to access website account for Wells Fargo, Capital One and 15 other banks, researchers found that 35 percent had significant weaknesses in their password policies, according to University of New Haven Cyber Forensic Research and Education Group.

“We couldn’t believe that the passwords people rely on to protect their financial crown jewels were less secure than those required to lockdown social media accounts like Twitter,” said Frank Breitinger, assistant professor and cyber security expert at the University of New Haven, in an interview with

UNH released its finding Tuesday singling out 6 of 17 banks examined for the report. UNH reports the banks with poor password policies include Wells Fargo, Capital One, Chase Bank, Citibank, Webster First Federal Credit Union, and BB&T Corp. – representing approximately 350 million accounts. The research was conducted by five undergraduate researchers with the University of New Haven’s Cyber Forensic Research and Education Group.

None of the six banks Threatpost reached out to for comment has returned the request.

The crux of UNH’s finding center around the fact all the banks in question had website password policies that do not differentiate between upper and lower-case letters. That, according to the study, is the difference between a “strong” password and a less secure password.

“We would expect banks to use the highest standard with respect to bank customer password policies,” Breitinger said. “If these banks took the very simple step to support case-sensitive passwords, customers would be much less vulnerable to having their accounts compromised,” he said.

It’s unclear what the exact password creation policies are for each of the 6 banks identified by UNH. For example, are case-insensitive passwords limited to 8 characters? Can special symbols such as # or % be used? Breitinger said, his research focused on what were the most typical passwords that were about 8 characters long and used a combination of letters and numbers.

“People create passwords all the time with upper and lower case letters,” Breitinger said. “These banks, by not supporting case-sensitive passwords, seem to be going out of their way to make passwords more insecure.” By not allowing customers to create case-sensitive passwords banks are significantly increasing the odds that an attacker could perpetrate a brute force key-search attack to guess the password, Breitinger said.

The difference between guessing 62 character combinations versus 26 is huge, Breitinger said. He estimates a brute force key-search attack on a case-insensitive password eight characters long, that do not utilize any special characters such as symbols, could take as little as 8 hours. A similar password that is case sensitive, and with no symbols, would take approximately 26 days for an attacker to crack with the equivalent of a super computer.

During the course of the research, UNH’s Cyber Forensic Research and Education Group was also troubled by each of the banks’ ability to respond to customer feedback regarding real and perceived security threats. Breitinger said when his researchers attempted to alert banks of the password security threat it discovered there was no formal mechanism.

“It turned out that it is almost impossible to contact and notify them about a security issue – we couldn’t find any e-mail address or phone number to report this security issues, but some banks offered phishing notification e-mail accounts and phone numbers,” according to the report.

Breitinger said all banks were notified through their phone hotlines. He said, researchers were dismayed by many of these banks whose representative didn’t know how to respond to the research and failed to escalate concerns to a security or IT department.

“If these banks are going to ignore a university research team, then what’s going to happen when a consumer calls up to tell them about a glaring security vulnerability they find?” Breitinger said.

“Our findings raise an important question: why do social networking platforms and many others not related to personal and business finances adopt much stricter password policies?” Breitinger asked.

Suggested articles