24

I just received an email from my credit union saying they are redesigning their online banking service and that I will need to change my password by October 22 to conform to the new limit of 10 characters. The current limit is 20 characters.

This reduces the maximum password entropy from 125 to 54 bits (according to KeePass), compromising the security of passwords. More importantly, though, I fear that this is evidence the web architects behind this redesign are clueless about security.

Questions:

  1. Am I getting worked up over nothing? Is 10 characters actually enough even if you are limited to letters and numbers?
  2. If not, are there any regulations specifying or recommending a maximum password length for online banking services?
  3. Can you recommend a reference on website security best practices I can send my credit union to bolster my case that 10 characters is inadequate?

Update

I contacted my credit union today (a Saturday) about their security practices, and someone actually responded to the email same day. Judging from the replies, it sounds like they have offsite vendors that handle passwords, the security question system, and the like, and passwords are encrypted and never stored as plain text. Also, they are now allowing passwords to contain symbols rather than just letters/numbers, so that slightly improves the maximum strength of a password over what I thought (though it's still a reduction from the original requirements). So, while I'm not entirely convinced that site security is optimal, it doesn't sound like a complete disaster. Thanks for all the advice and feedback.

AviD
  • 72,138
  • 22
  • 136
  • 218
devuxer
  • 341
  • 1
  • 5
  • 9
    What concerns me is, *why* would you want do make such a change? If the password is properly stored, 20 or 10 characters should not make a difference. The only practical reason I see for someone to do that is because they want to reduce the size of their password field in the database, which could indicate they are encrypted, or worse. Even then this seems like a stupid thing to do since storage is so cheap nowadays. Honestly, I have no idea why anyone would bring this up. – quantumSoup Oct 19 '12 at 22:31
  • 1
    What services are compromised if the password is? Does it just permit someone to see your recent transactions, or does it actually allow to make transaction using only the password? If the latter, I wouldn't trust the security in any case — you don't want your money to depend on just a password — and move to another credit union. If the former, unless you're famous or important, it probably doesn't matter so much. – gerrit Oct 19 '12 at 22:31
  • 7
    One thing you can do is contact your credit union saying you've lost your password and need it back. If they send you back your actual password, this should set some alarm bells. – quantumSoup Oct 19 '12 at 22:32
  • @gerrit So you don't use services like PayPal? – quantumSoup Oct 19 '12 at 22:36
  • 1
    @quantumSoup I don't but I could, if I would, the money in my PayPal account would always be much less than money I typically have in my bank account. – gerrit Oct 19 '12 at 22:37
  • 1
    @gerrit, the services include making transfers between accounts and performing bill payments, not just viewing transactions. – devuxer Oct 19 '12 at 22:39
  • 1
    @quantumSoup, yes, it concerns me that they would care how many characters my password is because they should be hashing it to a fixed length for database storage, anyway. That's why I'm doubtful about their security expertise. – devuxer Oct 19 '12 at 22:42
  • on another note what happens when you mistyped the password, if there is a time out then security can still be good (the reason why 3-tries 4-digit PINs are still (relatively) secure) but it won't help you if the database is read... – ratchet freak Oct 20 '12 at 01:28
  • @gerrit - What does PayPal have to do with anything. You used unique passwords, so the only account that can be compromised, is a single account. – Ramhound Oct 22 '12 at 19:35
  • @Ramhound A PayPal account being compromised could cost me money. I don't have any accounts where someone could directly steal my money by compromising it (my internet-bank is only accessible using my bank-card + PIN-code). – gerrit Oct 22 '12 at 20:00

6 Answers6

23

WARNING: Do not change your password!

This seems exactly what scammers would do to trick you into giving them your password. Do you really think your bank would send a message like this on Friday with a deadline just over the weekend so there is no chance for you to call them for verification?

Jeff
  • 3,599
  • 4
  • 17
  • 23
  • Does seem like an odd timeline, is there a message like this on the CU's actual website? I would also give them a call anytime you find something suspicious like this. Let us know if it turns out to be a scam or real. – Eric G Oct 20 '12 at 17:00
  • Good point, but I'm confident this is *not* a phishing attempt. All the link URLs and phone numbers are correct, and there is no direct link a to a "change your password" page, only a link to the credit union's home page. – devuxer Oct 20 '12 at 17:40
  • 4
    @Eric G, yes, there is a banner on the credit union's home page (which I accessed by manually entering the URL, not using the email's link--just in case) that warns about the new password limits. So, I'm confident it's legit. – devuxer Oct 20 '12 at 17:43
  • One other thought. Yes, it is suspicious that they would send out such a message at the last minute, but my guess is, being a small-time credit union probably working with a third-party vendor, they didn't realize until just before launch that people would need to *reduce* their password length to conform to the specifications of the new system. Plus, if their entire system was hacked, customers would still have had the opportunity to call them on Friday afternoon, so the credit union would be aware of the situation. – devuxer Oct 20 '12 at 18:20
  • @Jeff All three of the credit unions I've had accounts with do all sorts of stuff like this. I have to vet every communication from them to ensure they're not phishing, because they absolutely come across as such. And when I call in, I'm expected to provide 16-digit card numbers and full SSN as verification. Credit unions are terrible at security. – Ivan Aug 16 '17 at 19:31
15

There are two different perspectives here.

Implications for you (an expert user). If you choose your password appropriately, it is possible for you to choose your password in a way that is strong enough. If you choose a random 10-character password, where each character is randomly and independently chosen from a-zA-Z0-9 (62 possibilities), then your password will have 59 bits of entropy. That's more than sufficient in practice: it's more than enough that password-guessing is unlikely to be the easiest attack on the system, and more than enough to ensure that your password is not likely to be the weakest link in the system.

Implications for the average user. It's a different question whether this change is a good idea, given how typical users normally choose their password. My opinion: I think it is a bad idea. Many users choose passwords that are based upon words or phrases. Those kinds of passwords have many fewer than 5.7 bits of entropy per character, thus, the length limit may have a greater impact on the average user. Also, the length limit rules out long passphrases, which are one of the best ways to choose a strong password.

Bottom line. It's possible to use your credit union's system securely, so for you, the impact may be relatively minor. However, that doesn't mean their change is a good idea. I think introducing a 10-character maximum on password length is a bad idea and a pretty dubious decision on their part, so yes, it would make me worry that they are making bad decisions -- but the impact for you in particular is probably pretty modest, if you choose your new password appropriately.

For you, frankly, I would be more concerned about other threat vectors, such as malware on your machine, than about password-guessing. Also, the quality of their implementation may have a greater influence than the length limit. If they limit the number of guesses an attacker can make, if they hash and salt the stored passwords appropriately and if they have ironclad ways to prevent leaks of the password database, then a 10-character password is probably not the weakest link their system.

The most important thing I recommend you focus on is this: if there is unauthorized activity on your account (e.g., someone hacks into your account and performs a transaction that you did not request), who is liable? Does your credit union promise to reimburse you and make you whole for any loss? Do they state this in writing in their policies? If they do, this is their problem, not your problem. If they don't, you're taking on considerable risk regardless of what their password policies may be. In the US, my impression is that basically all banks will promise to reimburse you for any unauthorized transactions, if yours is a consumer account (not a business account). Personally, I would not do business with a bank who did not promise to reimburse me -- I'd switch banks if my bank tried to put the liability on me.

user15193
  • 3
  • 1
D.W.
  • 98,420
  • 30
  • 267
  • 572
  • Very useful answer, +1. I believe I'm protected if there are any unauthorized transactions, and I'll definitely use as strong a password as I can (and of course unique). I guess I'll wait and see before assuming the new system is not secure. – devuxer Oct 20 '12 at 18:08
  • For comparison, in 2013, 2^59 would apparently have been good enough to keep the NSA out of your PGP key for about 2^19 seconds, or six days (give or take). (See Edward Snowden's claim of 2^40 PGP passphrase guesses per second.) Unless you are a high-value target, even they might have decided before then to move on. – user Aug 16 '17 at 20:10
  • @MichaelKjörling, That doesn't take into account the difference between online guessing attacks vs offline guessing attacks, though. 59 bits of entropy is probably more than sufficient against online guessing attacks (though I'm not sure it's enough against offline guessing attacks). – D.W. Aug 16 '17 at 23:57
  • @D.W. On the other hand, PGP's S2K (KDF) function is designed to be slow. I'd say if a passphrase is good enough to have even a chance of keeping a powerful nation-state adversary at bay for a week, then it's plenty good enough for most purposes. – user Aug 17 '17 at 07:31
9

Banks, as well as credit unions, are subject to guidance from the FFIEC, PCI does not necessarily guide or affect banks or credit unions, or the requirements for their members to access their online accounts (your full PAN is probably not even accessible from your Bank's Internet banking site).

There are a few things to consider here in terms of risk, which will become more important in the next paragraph. What can you actually do on the CU's website? Can you transfer money to an outside account or do bill pay to an account outside of the CU? Many financial institutions really only provide a watered down online statement functionality. In this case, yah your balance can be exposed, but no one is going to wipe out your account, and hopefully they are redacting your full account number anyway. What other factors are in place to control access - challenge questions, site-key (personal images), CAPTCHA, graphical password input, client side encryption of credentials, etc. Are there mechanisms in place which make it difficult to actually perform a brute force attack.

I think an important question to ask here is whether or not the CU is implementing multi factor authentication for online banking, which is becoming more important as regulators are stressing it. Since 2005, The FFIEC has been pushing financial institutions to use multi-factor - see FIL-103-2005 (download the full PDF at the bottom). There has been an update push since last year with FIL-50-2011. If you are curious about more of the IT security requirements for banks and credit unions, you can view the FFIEC IT handbook. Generally, the FFIEC guidance will also apply to credit unions - it is an inter-agency organization. If you have MFA the risk of a shorter password being brute forced or otherwise discovered in significantly lower. Note, this should be true MFA like phone-factor or a token, sit-key type images are not true multi-factor authentication.

It's also possible they may have integrated some third party service which won't work with long passwords, there are still some vendors out there who have legacy offerings which may be very niche or some other allure to your financial instituion.

Eric G
  • 9,691
  • 4
  • 31
  • 58
  • 2
    It is important to note that your CU probably outsources their core banking system and Internet banking to a third party vendor, so they might not have the level of control you think - most banks/CUs don't own or write their own systems. – Eric G Oct 20 '12 at 02:16
  • 1
    Great answer, +1. They introduced challenge questions some time ago. Perhaps the new system will have a multi-factor option. In that case, I wouldn't be as bothered by the 10-character limit. However, if they are using a legacy third-party system, it's unlikely they'd have multi-factor. I guess I'll wait and see what happens. I'll definitely be using the strongest, unique password I can generate. – devuxer Oct 20 '12 at 17:55
  • 3
    Note that this applies particularly to **U.S.** banks and credit unions; this is hardly a global regulation. Not that its necessarily wrong, but in other countries there are different regulations that would be relevant. – AviD Oct 21 '12 at 11:20
  • 1
    Good point, I assumed the OP was American in this case. For reference, in EU it would be the European Banking Authority (EBA). Elsewhere in the world, the regulating body will most likely be associated with the government. – Eric G Oct 25 '12 at 01:28
3

EDIT: As pointed out by the comments below PCI doesn't apply to Financial institutions unless they offer credit cards

==

Sorry, PCI-DSS Compliance only requires a length of 7. I don't have the text in front of me but the section is 8.5.10.

Someone else can probable quote the appropriate paragraph.

Bradley Kreider
  • 6,152
  • 2
  • 23
  • 36
  • 1
    I don't understand why this answer was downvoted. It responds to one of the questions that the original poster asked: "are there any regulations specifying or recommending a maximum password length for online banking services?". I think it is a helpful and useful answer that contributes to our understanding. – D.W. Oct 20 '12 at 23:48
  • 1
    PCI-DSS does not apply to general banks and credit unions. – ewanm89 Oct 21 '12 at 00:00
  • @ewanm89 - You have evidence of this? – Ramhound Oct 22 '12 at 19:37
  • @Ramhound See my comment above, FFIEC FDIC, NCUA etc regulate banks (they are also government entities). PCI is an industry standard which applies to credit cards and debit cards, not all financial institutions offer such things and they frequently outsource the card related services so they don't have the PCI liability. They also keep upvoting the answer about fraud even though OP noted this was legit and verified with the CU. – Eric G Oct 25 '12 at 01:15
  • It's also not really an answer, the OP doesn't seem concerned that 10 characters is not enough, but that there are some funny choices on the bank's side that would require downscaling of password complexity. It raises questions if there are funny security solutions elsewhere in their system – bbozo Feb 08 '14 at 10:14
0

From the perspective of an ethical hacker, limiting password length can seem a little redundant. It's been proven that longer passwords hold their own against password crackers more than short complex passwords. However, it is standard to have min and max password length due to storage concerns (storing many lengthy passwords safely can be difficult and resource consuming). Having a password length limit can also to help prevent length-extension attacks and overrides.

pivotpointsecurity
  • 1
  • 2
  • 2
    If you have to limit password length for storage concerns, there is a much larger issue than short passwords as passwords do not seem to get hashed before being stored. – Jens Erat Aug 16 '17 at 20:00
  • "It's been proven" where? See also https://security.stackexchange.com/q/248759/213165 – Michael Altfield Apr 26 '21 at 12:27
0

Password length is much, much more important than so-called complexity, and 12 characters is a good minimum size at this time. 10 characters maximum size is just a tad less silly than the 8 characters limit we had not long ago on many systems.

That said, they numerical approximations of KeePass and other tools have a limited impact on actual security. There are a lot of ways to obtain a password where length doesn't matter or not much.

Tom
  • 10,124
  • 18
  • 51
  • "Password length is much, much more important than so-called complexity" Can you please site your source? See also https://security.stackexchange.com/q/248759/213165 – Michael Altfield Apr 26 '21 at 12:28
  • @MichaelAltfield would the NIST standard, you know, the one who originated the whole "complexity", suffice? Or the apology of the guy who was responsible? (https://www.bbc.com/news/technology-40875534 - also otherwise widely reported) I could also point to several conference speeches on the subject I've given but I'm afraid none of them were in English. I don't think this issue is up for debate anymore (thankfully). – Tom Apr 26 '21 at 19:59