Weak Bank Password Policies Leave 350 Million Vulnerable, Say Researchers

Researchers claim major banks are implementing poor password policies and leaving customers vulnerable to brute force “key-search” attacks.

Should passwords that protect your financial data be less secure than the ones used to lock up selfies, cat videos and tweets swapped on social networks?

In a study that looked at the password strength required to access website account for Wells Fargo, Capital One and 15 other banks, researchers found that 35 percent had significant weaknesses in their password policies, according to University of New Haven Cyber Forensic Research and Education Group.

“We couldn’t believe that the passwords people rely on to protect their financial crown jewels were less secure than those required to lockdown social media accounts like Twitter,” said Frank Breitinger, assistant professor and cyber security expert at the University of New Haven, in an interview with
Threatpost.

UNH released its finding Tuesday singling out 6 of 17 banks examined for the report. UNH reports the banks with poor password policies include Wells Fargo, Capital One, Chase Bank, Citibank, Webster First Federal Credit Union, and BB&T Corp. – representing approximately 350 million accounts. The research was conducted by five undergraduate researchers with the University of New Haven’s Cyber Forensic Research and Education Group.

None of the six banks Threatpost reached out to for comment has returned the request.

The crux of UNH’s finding center around the fact all the banks in question had website password policies that do not differentiate between upper and lower-case letters. That, according to the study, is the difference between a “strong” password and a less secure password.

“We would expect banks to use the highest standard with respect to bank customer password policies,” Breitinger said. “If these banks took the very simple step to support case-sensitive passwords, customers would be much less vulnerable to having their accounts compromised,” he said.

It’s unclear what the exact password creation policies are for each of the 6 banks identified by UNH. For example, are case-insensitive passwords limited to 8 characters? Can special symbols such as # or % be used? Breitinger said, his research focused on what were the most typical passwords that were about 8 characters long and used a combination of letters and numbers.

“People create passwords all the time with upper and lower case letters,” Breitinger said. “These banks, by not supporting case-sensitive passwords, seem to be going out of their way to make passwords more insecure.” By not allowing customers to create case-sensitive passwords banks are significantly increasing the odds that an attacker could perpetrate a brute force key-search attack to guess the password, Breitinger said.

The difference between guessing 62 character combinations versus 26 is huge, Breitinger said. He estimates a brute force key-search attack on a case-insensitive password eight characters long, that do not utilize any special characters such as symbols, could take as little as 8 hours. A similar password that is case sensitive, and with no symbols, would take approximately 26 days for an attacker to crack with the equivalent of a super computer.

During the course of the research, UNH’s Cyber Forensic Research and Education Group was also troubled by each of the banks’ ability to respond to customer feedback regarding real and perceived security threats. Breitinger said when his researchers attempted to alert banks of the password security threat it discovered there was no formal mechanism.

“It turned out that it is almost impossible to contact and notify them about a security issue – we couldn’t find any e-mail address or phone number to report this security issues, but some banks offered phishing notification e-mail accounts and phone numbers,” according to the report.

Breitinger said all banks were notified through their phone hotlines. He said, researchers were dismayed by many of these banks whose representative didn’t know how to respond to the research and failed to escalate concerns to a security or IT department.

“If these banks are going to ignore a university research team, then what’s going to happen when a consumer calls up to tell them about a glaring security vulnerability they find?” Breitinger said.

“Our findings raise an important question: why do social networking platforms and many others not related to personal and business finances adopt much stricter password policies?” Breitinger asked.

Suggested articles

Discussion

  • Dave on

    I was shocked when I discovered that American Express not only uses case-insensitive passwords, but limits you to a pool of a half dozen special characters. I'm saddened, but not at all surprised, to see they're not the only ones with password policies from the 80s.
  • Josh on

    Did this study take into account banks that require 2FA to perform transactions after you've logged in?
  • Windsorrider on

    I have not had the experience of a financial site that does not differentiate upper an lower case letters, but I have seen numerous sites that do now allow 'special' characters. Recently this has been less an issue. One financial institution I spoke with actually told me special characters made the password LESS secure.
  • JLH on

    I am still frustrated to this day that one of the banks I use for a retirement account limits me to 12 non-special character passwords with NO 2FA! I change PW every 30 days for financials, after my first 30 day change, I received automated emails that night saying that an incorrect PW was used too many times to attempt login. Compromised within the first 30 days... My primary bank uses 16 character max(w/ special characters) and allows for 2FA. No consistency in the financial sector with regard to PW security/complexity.
  • BBT Client on

    I found this because I was searching to find a forum thread where I could rant about BB&T's policy. A bank that doesn't allow special characters in passwords. DOESN'T ALLOW IT! So I think, "I'll make the password really long to compensate." Except, no, length restriction is 8-12. That's protecting my bank account. The policy is obviously there more to reduce the number of password resets that they need to handle because of people forgetting complex passwords, and to cater to the "why do I need such a 'hard' password" crowd. Thanks for the opportunity to rant. Feel better. Step it up BBT.
  • BBT Client on

    Just got an answer back on why the limitation is what it is for BBT. "The password policy is hard coded, and that is what is supports." If that was supposed to make me feel better, put another scratch on the fail counter. If the system was written with those restrictions, I'm positive it's full of vulnerabilities. It shows the security consciousness of the developer is next-to-null. I'm sure it's illegal, so I can't, but I would love to see what an out-of-the-box OWASP scanner would return against the online banking system. Still upset.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.